We should lobby them to change the rules, as a second e-mail account would literally be a second factor. Then it's up to the user to hook it up to their phone.

Email based authentication is lame. If a hacker gets access to your email, then they automatically have access to your 2FA. Lame.

So if a hacker gets access to your second factor, they have access to your second factor?

And if they get access to my phone number they get access to my texts and phone calls. That's why neither should ever be the only authentication factor (nor a single-factor recovery method for that matter).

That said, my phone number is significantly easier to take over than my email address and mailbox.