A short rebuttal of Two-factor authentication is false sense of security
For starters, what makes the password so broken is the fact that the shared secret (the password) is stored right where it’s subject to attack (the website).
That's not what makes the password so broken so long as the web service provider is doing everything right – storing the password hash instead of the raw password, using bcrypt with a significant work factor to generate that hash, and using a per-password salt.
I also (weakly) disagree that the website is the most likely attack vector, assuming he means an attack that grants access to the database or application server. The language is ambiguous, so I'll give him some benefit of the doubt and assume he's talking about XSS exploitations, which can compromise a website without requiring direct server access.