There should be a blacklist for websites that don’t allow 2FA or do it through SMS. There’s no excuse for sites such as PayPal not allowing TOTP, only some prehistoric hardware based token generator.

PayPal allows Symmantic VIP access in Software (==TOTP, but with proprietary key exchange) but they hide it very well and the initial registration of the token only works sometimes and only though their ancient /cgi-bin sites (if you find them). Even hardware tokens might worm.
After that, it works fine.

Here is the link (you have to be logged in): https://paypal.com/webscr/...