I would use the 2FA if it weren't an app. There is a specific security flaw in making it an app. This is why Twitter, Google, and many others instead now send text messages instead.
You are misunderstanding how 2FA works.
Getting 2-Step Authentication codes via SMS is NOT proper 2-Factor Authentication. It is not second factor because it is not "something you have". You have to be sent the code by the site in order for that to work and SMS can and has been re-directed for the purposes of account takeover.
Proper 2-Factor Authentication requires either an app (such as Authy, FreeOTP, or Google Authenticator) or a device (such as a Yubikey) because a proper 2FA involves running an algorithm, usually a TOTP algorithm.
2FA using TOTP does not require the service to send you anything (aside from maybe a message telling the app to generate a code for you for convenience), because the code is generated on both sides using a combination of the current time and a shared secret key that created when the 2FA was first set up.
Simply intercepting the generated codes is more difficult because they only need to be sent one-way and even if you can intercept them they would only work for individual login sessions. It's not practical to find the secret key using the generated codes because the algorithm used to generate codes from the secret key is very efficient going forward but requires an impractical amount of computing power and time to reverse.
In order to generate a valid code you need the secret key, which stays on the user's device and never needs to be sent over the network and because of that it can serve as an actual "something you have" second factor.
It even works offline provided device has its clock set correctly (try using a 2FA app without a network connection, it still works).
Technically Steam is doing 2FA correctly by using an app.
What Steam is doing wrong with 2FA, at least in my opinion, is that they've insisted on only using their own app rather than using an already established standard used by other 2FA apps.
If Steam did not stubbornly insist on using their app then users could choose whatever 2FA app they wanted (like Authy, FreeOTP, or Google Authenticator) and it would be much more convenient, especially for those of us who use 2FA regularly and already have already chosen an app we prefer.
Also, if anyone was wondering, account takeover via [redacted] does not involve 2FA in any way as it's taking over the account using a completely different mechanism that Steam and other sites really need to better secure.
In fact, part of the reason [redacted] has recently become a more common method of account takeover in some cases is because proper 2FA works so well that it's easier to find another way in rather than to try to attack the 2FA directly.
