I gave a big long speech on security to my company, mentioned that SMS 2FA was junk and to use authentication apps instead, then made 2FA mandatory on our Google accounts… only to find out that you can’t even enable good authentication without enabling SMS 2FA first.
Actually there is a way, but instead of enabling SMS you have to enable U2F first, then it will allow you to turn on TOTP. If you don't have a U2F-capable device then you can use a program like softu2f that emulates one on your computer, even if it's just temporary in order to get TOTP turned on.
Absolute madness.