In these days of scamming SMS with embedded links to who knows where that seems to be somewhat less than just a very ordinary approach to 2FA.
I deal with a number of companies that once had but no longer allow email 2FA because of ‘security’ not ‘privacy’.
ING Bank is as bad or worse. They treat older phones with their app as insecure for certain actions but fine for most. Mine is 2 1/2 years old and became ‘insecure’ about a year ago. ING refuse to divulge what constitutes an ‘insecure phone’ or provide a list of ‘secure phones’ or even the criteria such as Android or IOS version. Hence the ING app, as good as most of it is gets handicapped for unknown reasons. The solution proposed by ING - buy a new phone but offer no guarantee that new one might become ‘insecure’ by ING very quickly. Their ‘solution’ is to ring in and have an agent action it, as if I have nothing better to do for the often 20-40 minutes on hold. Speaker phone while listening to the drone of music and advertisements? Value added 
It is increasingly getting to the point where the companies are totally focused on ticking boxes for government mandates and directions from their own sometimes misguided security ‘experts’ without any consideration of or concern for their customers.
