Let's take the following scenario: An attacker has gained access to the users password and one of these requirements:
he has access to the device where the user selected 'remember this device for 30 days' or
he can somehow bypass the login 2FA, because the user has selected 'remember this...