Also because once they get that number under the guise of needing it for security they can use it for marketing texts. It's a win win!

It's perfectly fine if people want to use it, but at least provide the option for TOTP or hardware keys behind a big scary warning page or something.

an authentication app like google authenticator. there are others as well. https://en.wikipedia.org/wiki/Comparison_of_OTP_applications

No communication occurs to serve your 2fa code - it's a time based 2fa protocol.

Passkeys or WebAuthn, TOTP based 2FA (regardless of whether it's hardware or software based) is vulnerable to phishing. Protocols like WebAuthn are tied to the domain and is a lot trickier to compromise (at least not without significant effort).

A lot of people here are complacent when it comes to phishing because they believe "I am a big overpaid technical person on Hackers News, I am not dumb enough to fall for suspicious links unlike those dumb unwashed masses" but as most security people know, the sort of mass phishing attempts your grandma receives are relatively low effort compared to actual targeted spear phishing. A dedicated phishing attempt won't have broken English, CSS styling issues, weird punycode etc. It would be practically indistinguishable from the real thing unless you were specifically looking for it.

An authenticator app or hardware MFA device.

TOTP (thing that generates the 6 numbers every 30 seconds) whether that's a dedicated device (secure but very annoying) or a TOTP app on your phone (what most people use).

TTOP via password manager

Ideally use a dedicated hardware key, but if you can’t just use a 2fa app

Any dedicated MFA app, such as Authy.