Before two-factor authentication, it was common for MMO accounts to be stolen. It was a common thread on various forums (official forum for a game, reddit, fan-created, etc). The number of instances of accounts being stolen are very low. The player has to almost go through extraordinary lengths to let their account be stolen.

I had two FFXI physical security tokens (my wife and I). We got them when security tokens first came out in 2008(?). We just replaced the second one earlier this year. That's 15 years. I attach the token on badge pull secured to the monitor. The token has no purpose outside of logging into the game, so that's where it stays. I don't carry it around in my pocket (the software app on the phone). I don't have to worry about disassociating it with my account when I change phones. It is safe and secure. Spend the $10 or whatever, get a physical token and just keep it where you play the game.