In case this is still being watched by those making / updating auth policies, I’d like to add a data point. Some of us can’t have our phones (or a hardware token like Yubikey) with us all day because we work in a secured facility that doesn’t allow personal electronics. This isn’t uncommon! It means that we wind up needing backup codes for 2FA all the time, which probably makes it more hassle than it’s worth.
Let’s look at the design from another perspective: who decided that my Mozilla account is somehow “more secure” than GitHub, which is then (I think?) supposed to be “more secure” than Google? I would say you’ve got that exactly backwards, at least for my personal use. I go to much greater lengths to protect my Google account – which includes stored Play Store payment information, sensitive documents in Drive / Docs, my primary personal email / internet driver’s license, etc – than my Github account, though, granted, it doesn’t have permissions on important repos as some might. And I don’t think I even have a Mozilla account, but if I do, I only use it for messaging (forums, bug trackers, etc) so having it compromised would be no big deal and (hopefully) easily rectified.
Of course, I’m arguing what I treat as being “more secure” rather than what’s protected by more security measures. I’d say that’s likely a wash. As far as I can tell, all 3 account systems allow 2FA but don’t require it, allow automated recovery using at least email and maybe an associated phone number, notify users of potentially suspicious logins, etc etc. If Mozilla is going to express a preference based on the assertion that one system is “more secure”, a) document that assertion (and link to those docs whenever you make it!), b) give us your reasoning, and c) be damned sure you’re right.