[troydavis]

It's not just FastMail. Most other 2FA-enabled sites (including Google) offer and recommend providing a phone number as a delivery method for a onetime code.

The 2nd factor is only as secure as to the weakest delivery method, though, so defining a phone number does make that factor subject to porting and SS7 attacks. Most sites offered text message backup codes before those attacks had been seen in the wild, but they're probably also stuck with a lot of users who didn't write down their recovery codes.

There's no good recovery option with a large userbase. The closest is Delegated Recovery (https://m.facebook.com/notes/protect-the-graph/improving-acc...) but GitHub and Facebook are among the few, if not the only, implementors. Without that, eventually someone will lose or break their phone, realize Authenticator TOTP keys weren't in backups, realize they ignored the instructions to save the backups, and go to support.

As long as you actually do print and securely store the backup codes, I think there's a good argument for not giving your phone number as a backup method.