It's not about 2FA though. The problem is that PayPal allows users to log in via a one-time code sent via SMS, without the need to enter their password or TOTP (I assume this extends to hardware keys as well). They're doing 1FA over SMS and there's no way to opt out.
