Yes, and it's heavily pushed. But if this scam really goes that deep in manipulation/phishing:

> but he managed to get victims to give him the iCloud passwords he needed to download their data.

Then he might have been able to get victims to allow his access.

I had the same thought.

If someone has given their email and password to an attacker, they won't think twice about giving the 2FA code as well.