I don't think you understand the purpose of two-factor authentication. It's quite obvious that the hypothetical IT department in your published conversation does not either.

Verification codes, whether sent to a SMS number, email or a mobile app, are NOT designed to be a replacement for entering a password. It's an ADDITIONAL step to entering your password. It's also remarkably effective at keeping 99.9% of hack attempts at bay.

Obviously, if someone steals your device, you are going to have some problems. But hopefully you used a lock code. I do know it's very difficult to break into an iPhone without the lock code. So much so that the government wanted Apple to put a back door into iOS but Apple famously refused.

Not sure on Android devices though.

No one authentication method is 100% secure by itself. The more factors you add to the authentication process, the more secure your account becomes, but you sacrifice convenience for security. That's the way it is.