Now that BT have forced the feature of remote router restarts (and may be other remote access features) surely now it is a must to have a 2fa option on the account
Don't understand the first part of your message. BT has always been able to "force" software updates and restarts if required.
Sorry, the BT app has a feature with allows remote Hub restarts, which means anyone who is able to login to the BT account can have a physical effect on the BT Hub. All that is need to do this is a username and password. I don't have any issue with the hub being updated and restarted, I see not way to disable to feature on the BT Hub. I believe this feature requires a great level security on BT accounts
So in other words the BT account holder's account has to be either hacked or the account holder has to give somebody their BT account username and password which would allow them to restart the BT hub.
I suspect that if somebody has gone to the bother of hacking the BT account,restarting the BT hub is probably not their reason for doing so!
EDIT: I should have added that a BT account holders BTID which gives access to MyBT does not need to be a BT email address so having 2FA on the BT email account would make no difference in this instance.
The moderators have stated in this thread "Whilst we wait for Two Step Authentication to be delivered," which would infer to me that it is going to be a feature at some point so it may well be that it will also be a feature of the MyBT log on.