Under what circumstances does the phone number prompt prevent the attacker from accessing your account?
Perhaps they used phishing? Then they can just phish the SMS code as well.
Perhaps they're a MITM over an insecure channel? Then they can just wait for you to enter the SMS code.
Perhaps you installed their malware? Then they can just inject some code into the browser.
Under what circumstances does the phone number prompt prevent the attacker from accessing your account?
Perhaps they used phishing? Then they can just phish the SMS code as well.
Perhaps they're a MITM over an insecure channel? Then they can just wait for you to enter the SMS code.
Perhaps you installed their malware? Then they can just inject some code into the browser.