Currently for MFA, Alpaca only offers an SMS option.
SMS was never designed for secure communication. Also SMS can open an account to hijacking via a SIM (phone port) attack.
The use of SMS has been questioned going back to 2016:
SIM port attacks have been on the rise, with the recent Twitter hack being a high-profile example. A successful SIM port attack could result in a hacker having a clone of your phone, and can be escalated to access into an email account.
Please offer more secure options such as Time-based One Time Passwords (TOTP).