You may be right. A lot of orgs will happily let you use SMS for 2FA at login, but let you recover your account with that same SMS, making it 1FA x 2 (or 0FA, to line up with RAID 0)