And yet their account security page still says "When you sign in for the first time or with a device we don't recognize, we'll ask you for your username, password and a temporary identification code, which we'll send you by phone, email or text message."

IMHO, SMS is now more vulnerable than email thanks to the proliferation if SIM swapping. The best solution is an authentication app, which it seems Chase doesn't support.