> intercepting sms one time codes

Crazy idea, maybe they shouldn't be using those then. Maybe they should use email? Or god forbid a TOTP app. Or perhaps webauthn via the platform provided authenticator.

They very clearly aren't behaving in good faith. That's why the harsh sentiment.