Today I learned that Twitter allows changing password without asking for the second factor. Anyone with access to a valid session can simply change the password and lock you out. Same with account email apparently.
They do have this additional toggle for password resets (if email access is compromised, for example) but that is also disabled by default.