Gregory's ServerReally @ratfactor? 2FA is the straw that broke the camel's back? And you're blaming it on phone number harvesting?
I'm no GH apologist. I have similar concerns to what they've been up but as a security professional, the last 2FA method you should use is your phone. GH provides the option to use their mobile app (no), TOTP (yup), and FIDO2 security keys (woo!).
Phished pws are a legit concern and IMO they're doing the right thing here to restrict commit access unless you have 2FA