I just read that Facebook employees can login to their internal systems with only a username and password. See:
Cyber criminals have so many tools that we need an additional layer of protection. If Facebook can have hackers lurking inside their network for months, what makes you so sure your network is safe?
I’m advising all my clients and companies to enable 2-Factor Authentication on all systems. This and strong unique passwords gives me piece of mind that a compromise of my username and password does not expose me to cascading risks in other systems.