Google proved this to me a few years ago.

I have a few alternate Google accounts that I setup to use only one of their services. I hadn’t logged into one of these in a few years, and that was from a different IP address, so it bugged me to verify I was the account owner.

My password database showed that I had setup an alternate email address for this account for this kind of verification. I had never given Google a phone number for this account.

Google ignored that email address. Instead what Google essentially told was “We don’t believe you are really windowsaturn. We think you may be an imposter who stole windowsaturn’s username and password. Whoever you are, if you give us your phone number now we will let you into windowsaturn’s account.

Google was not trying to protect me. Google only wanted my phone number.

Thankfully I didn’t need the account badly, so I left it for dead.

Prceisely, now the company knows where you are, what time you log in, what phone you have, how fast you type, etc

There are many 2fa sites that I can't log into from my lineage os phone. My current thought is that their tracking systems aren't getting the data they usually do and block my access.

A few months ago I had to call the tech dept. I was told "humm that's odd, you imputed the correct password but it still blocked you"

I had one big corporation named Chase Bank that I won't name fight with me over how this (SMS) was more secure than anything else, including email or a VOIP number behind a strong password, as well as TOTP.

When I mentioned that my carrier had several successful SIM attacks over the past few years, the dude simply repeated how secure it was.

You should use it for your password here. It's secure, I promise!