As a supplement: The attack on Südwestfalen IT was only possible because no end-to-end MFA solution had been established. That's why the issue is really pressing! The current solution of transferring the key by e-mail is almost negligent.
E-mail = postcard. Anyone can read it. A well-positioned attacker can at best intercept it.