Well, from first-hand knowledge, it's not only not impossible to brute-force attack a website's login system, but it's also trivial to do so in some cases, especially when scripts are involved. Two-factor authentication completely disables brute-force attacks, as well as dictionary attacks, and many others; without first compromising the database in which those accounts are stored. If the database and website codebase are both well-secured, it will be secure enough to be a deterrant.

Yes. Yes, a million times yes. A friend of mine is currently dealing with a mass brute-force attack on an older forum software (he's a moderator), and their cleanup is just insane. Even a *simple* 2FA implementation would be better than none at all. I may not have anyone who cares about what I do, but I'd like to keep my info safe from would-be script-kiddies. Google Authenticator is relatively simple to implement, and would allow easy access. U2F tokens would be good too, but you'd have to have a way to purchase the hardware. A link to a *truly* reputable vendor for the tokens would be absolutely required.