pam module for sudo bypassed by using sudo -i

I've been trying to set up 2FA with Google Authenticator on Ubuntu to protect sudo. I followed the steps at https://blog.jitendrapatro.me/configuring-two-factor-authentication-for-su-and-sudo/ and was able to see my commands 'sudo touch /test' being protected, i.e. I would be prompted for my Google Authenticator verification code. However, the article says the following, which seems to imply to me that it's pretty easy to bypass the 2FA: > There are three downsides to this. First, 2FA needs to be enabled for the user account or there will be no prompt for entering verification code. Second, the switching to any user from root now will require to enter the verification code for that user, which is not so convenient anymore even if you’re root! Third and most important of all is you can just use “sudo -s” and get a root shell completely bypassing su! 🙂 Likewise, I was able to run sudo -i and bypass 2FA. Any way to prevent this bypassing? What am I missing?