>your data is more valuable if marketers can assign your real name to your data. or aggregating all data about you, phone number helps with that.

This is mostly a red herring because most of the places that require SMS TOP already have your full name/address (eg. financial institutions, healthcare providers) or are in a position to intercept communications that they can infer that information (eg. google). If apps/sites like tiktok wants my phone number for 2fa, they can fuck off, or get a burner number.

Neither TOTP nor HOTP provide "what you see is what you sign" property, unfortunately, which can be critical for bank and other transactions.

"Enter this code only if you want to pay <amount> to <merchant>" is much more secure than "enter your TOTP here", which is a lot like issuing a blank check in comparison (and in fact required by regulation in the EU, for example).

Not even WebAuthN provides that property on a compromised computer; for that, you'd need something like the SPC extension [1] and a hardware authenticator with a small display.

That's unfortunately why we're currently stuck with proprietary bank confirmation apps that can provide it. I really wish there was a vendor-neutral standard for it, but given how push notifications work (or rather don't work) for federated client apps, I'm not holding my breath.

[1] https://www.w3.org/TR/secure-payment-confirmation/