Clearly you don't understand two factor auth.  How does sending an email to a phone qualify as two factor auth but sending an email to a computer does not.  It could be a phone I've stolen.  It could be a throw away monthly phone.  MS has no way to authenticate either device (if I'm a criminal I will be paying for the phone with a stolen identity). For a device to qualify the authenticator has to have some way of knowing the device is in the hands of the person who is supposed to have it and that the device itself is verified.

Here is an example of two factor auth. I use two factor auth on a Bloomberg terminal. AFTER verifying my identity, Bloomberg issued me a small device that generates a magic number.  Along with my password, that number is keyed in when I access the Bloomberg terminal.  So Bloomberg is able to authenticate me based on something I know (my password) and an authenticated device that I have (the number generator). 

Here is another example of two factor auth: Remember MS will want my bank info.  Most likely they will ask me for a number that is printed on the back of my bank card.  That indicates I physically have the card or have seen it.  That is a form two factor auth. 

Sending an email to device A instead of device B does nothing to verify the identity of the user if the authenticator is unable to verify the authenticity of either device.

This thread is sidetracked.  My point was and still is that MS does not need my phone number unless I CHOOSE to give it to them, and the least they can do is have a clause in the TOS that says we swear to GOD we wont call you unless its an emergency and we will never give this number to an affiliate (read: whoever pays enough for it).