That's a fair point. I guess I was speaking in the more general case, but yes, you can have multiple layers of authentication and it is super implementation dependent. Everyone has their own threat model (hopefully!).

(I wrote a few thousand words on MFA a year or so ago: https://fusionauth.io/learn/expert-advice/authentication/mul... )