, Ray7 wrote

But why do they need a phone number for that? Isn't an alternative email address good enough?

In my view? (And I emphasis MY view) No. People carry their phones. It's a central point. Email addresses are too easily hijacked, read in multiple places and so on. Of course I'd prefer a secure ID myself, or a yubi key (maybe google authenticator at a push, but that's just a soft token, so do it properly with a soft SecureID then), but SMS is ubiquitous. My bank does it, Paypal does it, I have all MS billing transactions set up to do it.