[hrrsn]

I doubt they really care at the end of the day. My Instagram username is three letters and I (used to) get 4-5 reset emails a day prior to turning on 2FA. I also frequently get asked if I want to sell the name. I'm just worried someone will get in and take it.

[nradov]

If you use SMS for 2FA there are numerous vulnerabilities. The Google Authenticator app is safer, unless Instagram itself has some sort of vulnerability.