Thanks for flagging this up and for expressing your concerns. I've just been chatting about it with my colleagues and using "Google Authenticator"-style 2FA is something we've been considering for some time (see FreeOTP as our preferred client). I've added your forum post as another vote in favour of adding this feature.
That said, you mention our BigV V-Keys which offer a tried-and-tested approach to 2FA that we currently support. If you'd like one, just drop us a line: email@example.com. Stocks are limited but we can get one out to you quickly.
The obvious answer to a password attack is to avoid using a password for BigV that you also use on other sites. If you ever think that your account might be compromised, contacting us on firstname.lastname@example.org will alert us 24 hours a day and allow us to take preventative measures. Deleted VMs must be additionally purged before they're gone forever.
Thanks again for flagging this up. Keep an eye on this topic and on the BigV site to see where we get to with other forms of 2FA.