> some sites mandate email/SMS 2FA

Which should be made illegal on a national/international level.

The only possible reason for that is sheer laziness or malicious ignorance. Full stop, end of story

And I also include eMailed login links and eMailed 2FA in with that determination. Any secure login attribute that gets transmitted over eMail or SMS should be illegal. Password reset links, only. And vendor-locked/vendor-specific apps as the only 2FA path should also be illegal. TOTP should be a fully open system, letting anyone use any legitimate provider or app.

Yeah, let’s just say I have some pretty strong opinions.