Re: If you MUST use SM
> Use a unique PAYG unregisterd SIM (not possible in all countries) if you think you MUST give them a phone number. Better to regard the account as disposable and ignore 2FA.
It's not quite as simple as being about what _you_ think, unfortunately.
Twitter recently gave me a 12hr naughty-stepping, and to reinstate my account a requirement was that I provide a mobile number (I objected on GDPR grounds and they rejected the appeal). I didn't fancy throwing my account away over it, so yeah, I bought a PAYG SIM for the princely sum of 99p.
They also require you to provide a mobile number to enable 2FA, even if you'll be using TOTP/U2F instead of SMS 2FA.
In both these cases you can delete the number straight after, but they've had it, and it's down to trust (hah) whether it's actually gone.
As a side note, I discovered this morning that when they required me to provide that number, they silently disabled my 2FA. So the account's been sat protected only by a strong password for more than a month, without my knowledge.
Twitter are _really_ shit at this security thing.