When I signed up using the app I signed up with email/password and then had to enter my phone number for two factor authentication. They never confirm your email address.

Fast forward to now and I get a new phone. Go to login and it asks for phone number for two factor authentication. I go through it and it says I need to enter email and password since my device wasn’t recognized.

Well turns out I misspelled my email. So someone out there has been getting my emails and since they can just use the email address to reset the password they can easily gain access to my account. You cannot reset the password via phone number and two factor authentication. You don’t even need that to login as far as I can tell.

I setup another account to test all those scenarios.

Anyway make sure your email is right because they won’t and then you risk someone taking over your account.