That's not what this is intended to protect against. If your local machine is compromised, you are screwed, and 2FA no matter what the form isn't going to help you. At a minimum, for that, you need out-of-band confirmation of critical actions (e.g., a message to a different pre-registered device to confirm financial transactions before they are executed.)