They do have it but they probably have millions of accounts that were created before that feature and never logged back in and set it up. It's also through an auth app and not texts which is more secure but more of a hassle for not allowing users which might affect adoption.
Most old accounts would probably never try to log in again anyway. After you learn that you're 3/64-ths Irish you've gotten what you wanted, why log in again?
Yeah I know there's the whole genetic disorder screening thing which might receive more updates in the future, but I think most of their customers probably did this for the novelty of knowing where they came from.
Oh, you lost your email account access? Please send a matching DNA sample and $99 to unlock your account.
I mean, 23andme has one of the ultimate methods of account recovery available to it. (ignoring that people tend to leave copies of their DNA everywhere, but then you could just mail that in under a John Doe and find out all the same info anyway).
Whatever way you put this, handling the support load of the few customers who can't log in - and by this argument aren't ever logging in anyway - is better than having this degree of PII leaked and the company reputation ruined.
Which feature? Unless they didn't ask their user's email (which I'd find surprising), they could have added e-mail based TFA any day without asking their users to do anything.
