SSPR requires some sort of authentication method. It could be password and phone. though not recommended not to use true MFA:
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-sspr-deployment