That's only in regard to a phishing attack, but two factor authentication protects you in the case that you lose your password to an adversary who tries to log in themselves.
If said adversary can steal your password through other means (for example, you use the same password over multiple sites, and the adversary happens to run one of them), they still would have to coerce you into giving the Allow on your phone.
If said adversary can steal your password through other means (for example, you use the same password over multiple sites, and the adversary happens to run one of them), they still would have to coerce you into giving the Allow on your phone.