[tekstar]

I guess then the risk is whether or not the VOIP provider is more secure than my phone provider? I need to think that one through.

With the second scenario I was just thinking that, if I personally didn't receive the text on a given morning, I would know that my number has been ported and I would begin to freak out and try to race the attacker.

[geforce]

I think it's more of a "security by obscurity" thing than anything, but if the number is really unknown except for you and the 2fa provider, that would probably be "good enough".