I believe that once you have it set to use a phone number, it's always possible for the attacker to choose to have it call instead of sending a text. (I seem to recall it provides that option on the 2-factor login screen.)