In addition to login, 2FA is typically required for irreversible and other sensitive operations like transfers, for exactly this reason (local malware, XSS, etc, can steal cookies)

This should be pretty much required for all services where users may have significant amounts of money at stake. And users need to be educated to actually enable it.

Coinbase finally enabled 2FA for transfers (of more than $100/day) this week: http://blog.coinbase.com/post/73364231652/security-updates-o...

Looks like Coinbase 2FA is crap

http://www.reddit.com/r/Bitcoin/comments/1vjr7b/please_advis...

This happened the day Coinbase enabled 2FA on transactions, so it's hard to say whether it was before or after it was enabled.

Depends how 2FA is used. If on per/action basis it could save (you know the SID but don't know the OTP/token)

MtGox requires a new 2FA code for pretty much every action you can take (buy/sell/withdraw)