2FA and email address combined is a very good authentication method. But in this case, you need to be more responsible about the security of your phone. If it is lost, the fraudster can get access not only to 2FA, but also to your E-mail, that will help them get full control of your account.
I'm also thinking about this few times before, and I don't have any good option rather than my current ways. So basically I'm using Eset Mobile Security (not promoting them/affiliate with them, just sharing my way), that allow me to lock my phone in case lost with pairing to other phone number. the command also easy just send a sms from paired number to number on our lost phone.
I don't know how safe using this third party, at least I can locked my phone from other device easily without internet. And using this service i can locked our important application such as our 2FA. (DWYOR&DYOR)
about usibg open source 2FA, unfortunatelly, most of service currently using Google 2FA even no more updates for this service. How we can choose other 2FA if the site still using Google 2FA, maybe someone can give any explanation more about this, since lot of people says if Google 2FA not save etc, but exchange still prefer to use this service, how we (as user) can move to open source?