I think the problem is, the customer doesn't own a mobile computer which is ostensibly telephone-based. SMS 2FA (like how many other websites use) would probably work on the customer's regular mobile phone but that's not how HL operates, even if it's better. I can see the argument of not storing personal data, but what if there were an opt-in for that option?