Could be his email address uses OTP or UFA, which would make it secure.

If anything SMSs are much more dangerous than OTP and services should eschew them.

Sadly some of them still force you to have SMS.