If the attacker has direct access to the system, there is not a lot you can do to stop them getting in to that particular system. The main problem imo is that people would use the same password on secure and non secure services so some random forum login ends up with their icloud details exposed. Which 2FA solved.