Its because all of these companies are cheap and don't want to deal with the customer support cost of people who lose a virtual/physical MFA device. Instead, they treat virtual/physical MFA like a convenience feature that their customers keep whining about. But, if you've got that SMS on backup, then who cares if you lose the MFA; just use your phone, security be damned.
1Password is also guilty of this in a different way: They won't let you register a U2F physical security key unless you also have a virtual security key on the account.
This is ridiculously simple. I'll spell it out:
1) Offer Virtual, U2F, and SMS-based multi-factor authentication. SMS is still useful for convenience on platforms which pose less of a security risk to your digital life.
2) Don't gatekeep methods of multi-factor authentication behind others.
3) Allow multiple devices for each method of multi-factor authentication, especially physical U2F keys.
4) Offer backup codes.
5) Offer an Enhanced Lockdown option, whereby customer support account recovery is irrevocably impossible in the event of lost multi-factor.
1Password is also guilty of this in a different way: They won't let you register a U2F physical security key unless you also have a virtual security key on the account.
This is ridiculously simple. I'll spell it out:
1) Offer Virtual, U2F, and SMS-based multi-factor authentication. SMS is still useful for convenience on platforms which pose less of a security risk to your digital life.
2) Don't gatekeep methods of multi-factor authentication behind others.
3) Allow multiple devices for each method of multi-factor authentication, especially physical U2F keys.
4) Offer backup codes.
5) Offer an Enhanced Lockdown option, whereby customer support account recovery is irrevocably impossible in the event of lost multi-factor.