This means at any point between the sender and your phone anyone who has access can know what your "two factor" code is.
If you use true TOTP, i.e. Google Authenticator, then the code is generated via a secret key that lives on your phone, and nothing ever leaves your phone besides printing to screen and showing it to you when you need to log in.
Therefore, SMS "two factor" is not only costly and annoying, but ineffective.
Can I get my upvote back?
and they don't have your account credentials, that's the other half of the two factor approach