I believe P2D is completely bypassed if you authorise a drive from the app, effectively the way Tesla service do it. It seems anyone who has your refresh token (Teslafi, or any of the other 3rd party apps) can simply send the command and drive your car away. There was a suspected breach somewhere recently and Tesla forced a lot of password changes, I can see this being as big an issue as a bug. MFA is also only needed to generate the initial tokens, once done they can refresh periodically without the owner knowing.