To illustrate this bad security design from Booking.com : here is concretely the email they sent when you have 2FA (so in addition to the unique code they provide by email acting as a password):
I was kind enough to inform them about this 2FA issue, but here is the answer I got:
they did not worry about the issue. They also mention customer security is their absolute priority
