If you’re not using 2FA, you are less secure than you could be. My credit union has required it for literally 20 years. My brokerage accounts require using an authenticator browser extension or an authenticator fob. There is no credible argument that it’s impossible to secure an online account sufficiently to protect ONE vote.
I have no doubt the Chinese, or you and anyone else willing to pay the price, have my security clearance application. Nothing on it would give you the slightest advantage in hacking into my online accounts, unless you are willing to get on the phone and attempt social engineering to hijack my account because you know my SSN and mother’s name. A hell of a lot of work for ONE vote, and I would be instantly notified by email of any changes to my account, so you would not get far my friend.
We have mastered the procedures for doing secure business online, and I consider this an “expert” opinion because I’ve been doing online business daily for 20 years without incident.
Yes, the fob is secure because it uses PKI and the private key cannot be stolen from the fob. Ewerything else you use, from passwords to questions to text messages to any kind of software can be compromised and under the right conditions compromized en masse. Not just one vote, millions of votes if 2FA is your voting "security"
You won't get notified by email either or if on the odd chance you do I'll make sure you get dozens of notifications so you will ignore the useful one (actually Google does that already when I use the same account on multiple laptops and phones).
If you really want a purely tech solution then hand each voter a PKI fob in person upon presentation of ID and credentials. I've written browser extensions, both PKCS #11 and Microsoft CSP. Software tokens are not secure, only hardware is secure. I've also written the server side java and client javaascript to use FIDO U2F to secure web accounts. FIDO U2F fobs are secure just like the PKI fobs (some fobs do both).