The general solution against this attack is to generate random passwords for users, not force them into 2FA (for more annoying).