2FA is encouraged for one reason, and that is security. Assuming that 2FA is on, when a new device attempts to log into the government portal, and assuming the credentials is known, the person logging in will be required to provide a valid 2FA code. On KCI devices, this will be through the K-Wallet app. Other devices will need to use another authenticator app such as Google Authenticator. Assuming the person attempting to log is the person that owns the account, they will provide the 2FA code, and identify if this device should be recognized. The person logs in, and perform whatever duties that required logging in.
If a bad actor somehow knows the credentials of a person, and they wish to log into an account, they will need the correct credentials. This will mean that the bad actor has the person’s GIN. Once they provide the correct credentials, the site will require a 2FA code since this device is new to this account. This is where the bad actor gets blocked from logging into the account. If there is no 2FA enabled, then knowing just the credentials will be sufficient enough to log in.
Any login attempt that failed because of 2FA, the person affected will receive an email, and SMS message stating that a possible bad actor knows your GIN, and they attempted to log in through a particular IP address. This should encourage the person to report the breach attempt with HHS. However, if 2FA is turned on, they will receive this message, and the bad actor does not get access to the site. The person should log into their account immediately, and change their password.