This also is not entirely accurate. I checked the options, and only two exist: sms or authenticator app. Both phone based.

Mobile phones are the least secure device that you are likely to own, so using them as authenticators is unwise.

This is all about getting your phone number, since you can’t enable a hardware token without giving them your phone number first.

Phone number then links to “real” identity, bank, home location and so on.