You don't have to but it's the most user-friendly, although flawed, method of enabling 2FA. They could have easily used a software token but that requires non-tech savvy users to download a 3rd party authentication app, as well as understand the basic usage. Why do that when users can simply get a text sent on a method they most likely have?