They "requested" my phone number after the fact. And by "requested" I mean I wasn't exactly given a choice. I wasn't able to access my account until I provided a number. Of course all this was for "security" reasons.
Personally I'd prefer to use Google authenticator anyway.
I feel as if one of the many elephants being overlooked here is how 'security' is being abused to further data collection. When an account gets locked now, I don't think it is for actual security, but to increase data collection. Tragedy of the commons being exploited by major websites. The same ones which also want to hold themselves as the arbiter of truth (or at least as one of the Arbiter's official spokesmen).
I wouldn't be surprised if there are 10s of millions of accounts without phone numbers associated with them.