Not always. The Victor crew found an article/video that demonstrates how you have to be very careful even if you use 2-factor authentication in place. The trouble can occur when a user clicks a link sent in a phishing attack. The email may look legitimate but it may have the real site name misspelled.
The most important take away it to stop and think before click a link even if you think it comes from a legitimate source. If you receive a message from a major site, most likely you can just go to that site, log in, and see any notifications someone may have sent rather than looking at emails that are generated.
You can see how it 2-factor authentication is bypassed in this demonstration by Kevin Mitnick from KnowBe4.com.