[bdcravens]

Many 2fa implementations offer SMS (which would be compromised given a social engineering cell redirect) as an alternative to TOTP. (What's commonly referred to as "Google Authenticator" - it's time-based, so if you capture the initial image or code, you can actually set it up on multiple devices, so it's not exactly device-based)

[id_ris]

This is a reason to not verify over SMS and to instead use the Google Authenticator app. It seems easier to socially engineer a SMS redirect than to obtain the mobile device and bypass its login authentication.

If you are going to verify over SMS, don't have your SMS messages forwarded to email as that would render your 2fa pointless.