The phone-based 2 factor is better than nothing; in that any given code is only good for 60 seconds or so; but if you are tricked into trying to log into a phishing page, the attacker gets your password and your code, and can pass them through to authenticate. They may not bother, depending on what the percentage of users who bother is; but cryptographic fobs are where it’s at.
