I would use the 2FA if it weren't an app. There is a specific security flaw in making it an app. This is why Twitter, Google, and many others instead now send text messages instead.
You are misunderstanding how 2FA works.
Getting 2-Step Authentication codes via SMS is NOT proper 2-Factor Authentication. It is not second factor because it is not "something you have". You have to be sent the code by the site in order for that to work and SMS can and has been re-directed for the purposes of account takeover.
Proper 2-Factor Authentication requires either an app (such as Authy, FreeOTP, or Google Authenticator) or a device (such as a Yubikey) because a proper 2FA involves running an algorithm, usually a TOTP algorithm.
2FA using TOTP does not require the service to send you anything (aside from maybe a message telling the app to generate a code for you for convenience), because the code is generated on both sides using a combination of the current time and a shared secret key that created when the 2FA was first set up.
Simply intercepting the generated codes is more difficult because they only need to be sent one-way and even if you can intercept them they would only work for individual login sessions. It's not practical to find the secret key using the generated codes because the algorithm used to generate codes from the secret key is very efficient going forward but requires an impractical amount of computing power and time to reverse.
In order to generate a valid code you need the secret key, which stays on the user's device and never needs to be sent over the network and because of that it can serve as an actual "something you have" second factor.
It even works offline provided device has its clock set correctly (try using a 2FA app without a network connection, it still works).
Technically Steam is doing 2FA correctly by using an app.
What Steam is doing wrong with 2FA, at least in my opinion, is that they've insisted on only using their own app rather than using an already established standard used by other 2FA apps.
If Steam did not stubbornly insist on using their app then users could choose whatever 2FA app they wanted (like Authy, FreeOTP, or Google Authenticator) and it would be much more convenient, especially for those of us who use 2FA regularly and already have already chosen an app we prefer.
Also, if anyone was wondering, account takeover via [redacted] does not involve 2FA in any way as it's taking over the account using a completely different mechanism that Steam and other sites really need to better secure.
In fact, part of the reason [redacted] has recently become a more common method of account takeover in some cases is because proper 2FA works so well that it's easier to find another way in rather than to try to attack the 2FA directly.
Just because you or anyone you know hasn't admitted to figuring out a way through doesn't mean it doesn't exist. Many people keep quiet for various reasons. I this case the Steam 2FA app does not actually work securely, and if you decompiled it and tried to understand what it was doing, you'd realize why and how you could break it. That is the risk of making the program public. Security relies on two things to work best, 1) the secret key remains secret, and 2) the method of using the secret key remains secret. If the second part becomes public it is still difficult, but much less so. However the app fails in that it has keys on how the secret key is created in it's source, so it even fails the first part, opening up a gaping hole in the 2FA system they use.
edit: Just going to give an example of what I mean here:
Steam has given you the hashing algorithm to determine the secret key in their program. If they use a good input to the program though, this doesn't matter. They didn't use a good input, so I will give you examples of good and bad inputs, none of which Steam actually uses, and why they would be good or bad.
Using your browsing history from the last week -- Good Input
This is good because it is unlikely that even you, the user, can replicate your browsing history exactly even a week later. The exact configuration of your browsing history will be lost permanently some time after the key was generated, and can't be predicted.
Using your contact list -- Bad Input
This is bad, because your contact list does not change much, and comes from a small pool of people. Unless you remove a contact, and all references to that person from your life, social media, and the internet archive, the total number of keys possible from this is the number of contacts you have factorial, and if the hacker has information about you, this information could reduce this further.
Using secret questions -- Bad Input
This is a bad input, and I'll tell you why. These secret questions may seem to be known only to you, but they come out of a pool of questions given in the app, and if someone knows you, chances are they will know your answers to many of these questions. If someone hacks into one of your other accounts, they may be able to leverage that to find out the answers to these things as well.
Current date -- Bad Input
It is possible to find out approximately what date someone starts using one of these 2FA programs. As a result it greatly reduces the key pool to try when looking for the right key.
In short, a good input to a key hash has to be something that cannot be easily replicated because it's unpredictable. Steam's input is actually predictable in some way, which I won't get into. Because of that a hacker can figure out what key was generated when you started using 2FA. As such, the two services that I mention actually still have better 2FA models with the text messaging. I just meant Steam would have been better off with that.
If Steam wanted to improve their app, they would chose something unpredictable. Something so unpredictable, that even knowing what they use won't limit the key pool in any significant manner.