Even more scary with the Yahoo account in particular, I have it set up as an app-based authentication, so I get a popup on my phone if someone tries to log in. However, when they (I assume) clicked the "I don't have access to this, send an SMS instead" message, that notification immediately disappeared, so I didn't even have time to hit the "don't allow" button before it was no longer an option.

Google at least seems to have this right, in that when they attempted to do the same with those, the notification was still there. I also received a separate "request to reset account password" which stated it would take like 15 days to occur, and I was given the option to cancel it.

Regardless, I think I'm going to try to go hardware key with an TOTP app backup for 2FA going forward, wherever possible.