> Adversaries just steal the cookie issued after MFA completes these days.
Stealing a cookie is a much different attack vector than phishing, which is what TFA is discussing. It also requires a completely different level of access and sophistication, which puts it in a category so different as to make comparisons irrelevant.
> It's extremely unlikely and naive to think that Google would not have at least one compromised account at any given time.
Stealing a session cookie does not equal a compromised account, while phising does.
In the online world a session cookie or Bearer token is pretty much equivalent to an account compromise, in fact often it is exactly the same. Hard to argue if one gets email access to claim that their account wasn't compromised.
Not so fast. For years, Google has supported channel binding between GFEs and Chrome. The cookie alone is not enough: you need to steal the private key as well. I can't remember if that's the case, but it would make sense for @google.com accounts to have more aggressive settings.
Even before that, Google has had a system to detect cloned or tampered cookies on the server side for more than a decade, as described in its patented glory (don't open if you think your company's lawyercats are going to be unhappy):
Stealing a cookie is a much different attack vector than phishing, which is what TFA is discussing. It also requires a completely different level of access and sophistication, which puts it in a category so different as to make comparisons irrelevant.
> It's extremely unlikely and naive to think that Google would not have at least one compromised account at any given time.
Stealing a session cookie does not equal a compromised account, while phising does.