Whats the point of 2 Factor Authentication when you can just bypass it by using sms or email verification instead? The user can just select "sign in another way" and choose email or phone number. Less secure.