You don't need to do that for HOTP/TOTP though.

1. Scan a QR code.

2. You now have a secret value that can generate a deterministic pseudorandom integer securely indefinitely.

Also, SMS-based MFA should be burned to the ground.

Scanning a QR code by hand is easy when you don't have the phone handy. (sarcasm)

Actual OTP should allow you to print out or write down a set of codes.

> Scanning a QR code by hand is easy when you don't have the phone handy. (sarcasm)

That's way different from "I don't want to give out my phone number".

Both are impossible when not having a phone.

It's non sequitur.

"I have a phone number but don't want to give it out" is different than "I don't have a phone".

But hey, there are 2FA devices you can use instead.

This is why I'm a big fan of the U2F standard, which allows a device (generally a small USB/NFC device) to generate shared secrets for arbitrary services without exposing any personal information.

Think about this problem in context with the NIST trust level framework.

Nobody gives a shit about low trust environments... go ahead and crack my slashdot account, but higher trust stuff like mail, money, network access etc absolutely need MFA.

That's my point. MFA itself is certainly a very useful security solution (for example, I wouldn't trust a bank that doesn't use it), but "MFA everywhere" is not a way to go, because I value my privacy more than some useless Internet account.

A security key should work.