There's a simple way to tell if 2FA is being used for security or to harvest phone numbers: Does the site let you use an email instead of a phone number? If you can't use an email, the purpose is to harvest phone numbers.
TOTP is so good, it should be treated equally to or superior than phone number or e-mail as a requirement, by regulation, as an option for any site conducting business in US Dollars. E-mail is terrible for secure authentication. Banks have had plenty of time to implement this and haven't. TOTP can eliminate the password altogether, and make login usernames long-lived long TOTP or HOTP codes and I have just solved the terrible passkey problem!
