[nmjenkins]

(I designed the FastMail 2FA system)

Short answer to your question: no.

We are concerned with both keeping other people out of your account and making sure you still have access to your account.

For most users, the risk of losing their authenticator token or security device and so getting locked out of their own account is greater than the risk of someone hijacking their phone number. This is why we require you to add a recovery phone first.

It's very important to note that if you have 2FA enabled at FastMail we always require two factors to access or recover your account. Hijacking your phone is not enough: the attacker would still need to have also stolen your password. And hijacking your phone number is a very visible move, which you will quickly notice. In the highly public cases we've seen of this kind of attack over the last few years, I believe in every one the attacker has not had the password, and has only succeeded because they could gain access to the account with SMS alone.

For advanced users you can remove the recovery phone at FastMail after setting up 2FA. If you do this, I strongly recommend you write down your recovery code and store this somewhere safe and set up at least two different authentication mechanisms.