If you scroll down the list of community messages, BT's failure with 2FA seems to be a VERY common theme and it seems most customers have same issues and concerns over BT's unsophisticated security platform. 

Our "MY BT" Account was compromised a month ago. A scammer fooled BT using online Chat and providing answers to very simple security questions (easily found on Electoral role or more likely already on Internet) such as DoB, last 4 digits of bank account, BT acct No etc. Our account and email was compromised, emails download and we had a £2k fraudulent transaction on credit card. Luckily, being in IT Security, I was able to shut things down quickly - once I'd found out I'd been hacked. 

I recreated what the scammer/hacker did and using a friends MY BT account, I was able to answer 4 simple security questions and change the mobile number and ID.  I was never challenged with 2FA. 

I've told BT their 2FA is not working, 3 or 4 times. I've asked them why the scammer was not challenged with 2FA at time of changing our ID and mobile number. I'm waiting for the answer. In the meantime, I record once a week when I log on to see if 2FA prompt's - it doesn't. I record changing passwords to see if 2FA prompt's - it doesn't.

Another tread implies BT have a new 2FA (from Feb 2024) which "is risk based and uses several factors to decide when to make a 2FA prompt". So I've tried clearing all history and cookies and using different browsers. No 2FA prompt. I've tried different computers - no 2FA prompt. So I got a friend 100 miles away to log onto our MT BT Account - no 2FA prompt. I got another friend to log on to our MY BT account via his mobile, ensuring wifi was turned off - still no 2FA prompt.

It is shameful of BT. They seem to be in complete denial. They have 25 million consumer customers. All at risk because the BT 2FA does not work.