Phone-based 2FA is security theatre that just adds a new and easy attack vector in the process, pushed by service providers obviously to attain your phone number instead of just an email address.
For anything important I use air-gapped hardware tokens for 2FA. If a brokerage or bank doesn't support hardware token 2FA they don't get my business, full stop.
At the last startup I worked for, which was rather security sensitive, the leadership actually insisted on employees setting up gmail w/SMS 2FA on their smartphones. I kept using backup codes and never set it up.
For anything important I use air-gapped hardware tokens for 2FA. If a brokerage or bank doesn't support hardware token 2FA they don't get my business, full stop.
At the last startup I worked for, which was rather security sensitive, the leadership actually insisted on employees setting up gmail w/SMS 2FA on their smartphones. I kept using backup codes and never set it up.