I could send a login OTP to the phone number and read the 6 digit OTP on the lock screen (most don't disable this).

I've worked in netsec for 2 years and know the weakest link to connected security is usually the users