This doesn't bother me that much, but what really grinds my gears is how many sites won't let you log in with the correct username and password. I don't care enough about the account to want to set up 2FA, and I'd rather preserve a bit more privacy by not sharing my real phone number or another email address. Some sites seem to insist, and I think it's more about advertising and anti-spam than actual security.
Yahoo seems to be big on this these days. I had an old Yahoo account that I don't use much, but every time I try to log in, they seem to change around exactly what pseudo-2FA they want. Now they won't even let me try to type my password. Good grief, guess I'll just write off that account.
Or the ones that had silently truncated your password (e.g. JetBlue truncating to length 10) in every input and login box so the stored password isn’t what you think it is.
Then one day stopped doing truncating … but only in some boxes, not others.
I think there have been so many password breaches that most sites feel that passwords alone are insufficient for security purposes. Most users reuse passwords and if sites don't enforce 2FA they open themselves up to batch account compromises via script kiddies trying all combos found in the username/password dumps found on various haxor forums.
This is especially true for sites that provide email accounts for users on sites like yahoo which are the 2FA for many other sites a user has accounts on. Gaining access to a yahoo user's email account could allow someone to reset all their passwords on any 3rd account they used that email address for when they signed up.
Yahoo seems to be big on this these days. I had an old Yahoo account that I don't use much, but every time I try to log in, they seem to change around exactly what pseudo-2FA they want. Now they won't even let me try to type my password. Good grief, guess I'll just write off that account.