2FA has no place over phone networks for account recovery. It's far easier to obtain access to 2FA texts or doing SIM ports like this, than it is to break some gmail account password (even a weak one).
So many people don't seem to understand this - I was trying to use U2F yubikeys on gitlab a while back only to discover they force you to enable 2FA first for account recovery, this completely defeats the purpose of hardware auth, it's not supposed to be for convenience, security is only as strong as the weakest link, 2FA is very weak.
So many people don't seem to understand this - I was trying to use U2F yubikeys on gitlab a while back only to discover they force you to enable 2FA first for account recovery, this completely defeats the purpose of hardware auth, it's not supposed to be for convenience, security is only as strong as the weakest link, 2FA is very weak.