It appears a few things got tangled up here in terms of rumours being told, so I’ll try to get things a little more transparent. 
1.) There is currently a bug that indeed prevents various M+ keys from being listed via the LFG system, if the account lacks protection via SMS/authenticator. We’re working on fixing that.
2.) The authenticator isn’t spyware of any kind. For people who for any reason would prefer to not have the app on their phone, or don’t have a smartphone at all, there is also a keyring-token version of it available for about 15 years already by now (the token actually predates the app-version by several years).
3.) SMS notification services are reasonably secure, but are indeed not meant as a stand-alone setup - they’re intended to accompany 2FA systems. Hence the requirement to use them together with the authenticator, which is just that.