Wait, does that mean that they bind an entire session to the EU-service to one IP-address? So one can't use more than one device to access EU and EU-related sites that require 2FA?
Or does it mean that they store the 2FA-token entered on first login in the web-browser (cookies or local storage)...