I don't think it should be the sites' responsibility to guess whether the browser session is the have device will receive an SMS message... The fact that it is SMS is already bad anyway.

Time-code apps or passkeys are a different story.

1. You should be able to make backups.

2. There's nothing to intercept in plaintext.

3. The all can (unlike SMS features) be locked down by default and require a second layer of unlocking, so that they usually aren't accessible to someone who grabs your phone out of your hand.