Oh and authenticator code can be bypassed/hacked
It's susceptible to man-in-the-middle attacks (really rare), or if they are actively keylogging you waiting until the second you login and then using the same key to jack you (the key allows a login with it for I think up to a minute after it expires). Unless you are the NSA or someone has cracked This
and managed to keep it quiet and everyone company using these passkeys hasn't noticed that they are getting random logins then yeah.
Think some people manage to get into others accounts by forging real life IDs and contact Blizzard too, Hydra was a supposed example of this.