In my humble opinion, the 2FA implementation needs some improvements.
Once enabled, it brings up a form with a pre-filled field, where the current mobile number is displayed in full - which is bad practice. More concerning, the mobile number can be replaced - meaning that if a user's password has been leaked, the hacker can easily change the registered number and log in. I just tested this theory, and I could log in to the account.
Within seconds, I could also change the password and get hold of the account completely.
In a real-world production scenario, this isn't good (to say the least). Add to this that SMS is looked at as a weak solution for 2FA, and we're having a problem.
Implementing authenticator app-based 2FA should be a priority, as well as email-based. Users should have multiple choices to make the platform secure and useable.