It always bugs me when I log into a new site that is asking for any personal data but doesn’t offer any 2FA. It makes me question using the site at all; you make good points about the SMS link being relatively insecure. I like the application generated expiring codes as my first choice, but will take any 2FA over none any day.