They probably didn’t have non-SMS multi-factor enabled on a secure device.

Eeasy peazy fix for next time.