The only kind of 2FA that needs a phone number is SMS, which is subject to several types of attack, but is better than nothing. The Authenticator apps never asks for a phone number, and is measurably superior to SMS 2FA, even with this flaw. But the best option is a U2F or FIDO2 hardware token. Which also never needs…