I actually had something like Google Authenticator in mind, I don’t need to know (or what) or store the phone number. Ideally I want to store as little as possible, that is the authorized ID (e.g. ephemeral, but sticky user id, or worse case email) and temporary access tokens/credentials (until they expire). I only need a single type of “physical credentials”. E.g. Google Authenticator as MFA, phone can also be used alternatively to click in some app, answer a message or use the token I send - like in the email example you gave).