2FA is encouraged for one reason, and that is security. Assuming that 2FA is on, when a new device attempts to log into the government portal, and assuming the credentials is known, the person logging in will be required to provide a valid 2FA code. On KCI devices, this will be through the K-Wallet app. Other devices will need to use another authenticator app such as Google Authenticator. Assuming the person attempting to log is the person that owns the account, they will provide the 2FA code, and identify if this device should be recognized. The person logs in, and perform whatever duties that required logging in.
If a bad actor somehow knows the credentials of a person, and they wish to log into an account, they will need the correct credentials. This will mean that the bad actor has the person’s GIN. Once they provide the correct credentials, the site will require a 2FA code since this device is new to this account. This is where the bad actor gets blocked from logging into the account. If there is no 2FA enabled, then knowing just the credentials will be sufficient enough to log in.
Any login attempt made whether successful or not will inform the owner of the account via RCS?/SMS? or email?. If a bad actor has the credentials, but 2FA is turned on, then the bad actor will not be able to enter the site. This assures that the account will remain safe. The owner will receive a notification that credentials are known, and they should contact HHS if this attempt was not them. HHS may have to setup a new GIN if enough attempts are made.
If there was no 2FA authentication, then a bad actor knowing the credentials would have been able to compromise the account of the civilian, and done some serious damage. There will come a time once it is know that there are no longer any basic cellular phones in use that 2FA will be required. This is again for security reasons.