If BA had a functional and managed IT department, all the 2FA stuff would be clearly visible under one's user account details where it would be possible to change 2FA method, regenerate recovery codes, change phone numbers/email addresses/activate whatsapp etc.

But they don't.