NIST has already been discouraging the use of SMS for 2fa[0], but that apparently won't stop the subset of incompetent IPSec consultants who still recomment SMS based 2fa.

[0] www.slate.com/blogs/future_tense/2016/07/26/nist_proposes_moving_away_from_sms_based_two_factor_authentication.html

It doesn't stop incompetent dataroom operators either from forcing their users to give them their phone numbers for 2fa purposes.

And there is absolute gold in those datarooms if you know where to look.

Recent offender:

"iDeals proposes to protect your account with 2 factor authentication. It means that each time when you will be accessing the project/ changing your password/ accessing the protected versions of documents in the data room - an sms code will be sent to your cell phone. "

This after me pointing out that SMS for 2fa is not a good idea.

There’s a far worse example:

PayPal only supports SMS based 2FA, or, if you dig through their old website with archive.org, you can find a way to use one of their proprietary 2FA devices.

Support for TOTP? HOTP? Nope.

Those proprietary 2FA devices are just TOTP with a weird provisioning system.

You can use a tool such as https://github.com/dlenski/python-vipaccess to use google authenticator/freeotp etc. to access paypal.

That said... I believe you still need a mobile number enrolled to enable a token.