Interesting. I try to keep the number of usernames and passwords I have to an absolute minimum because I don't trust any of those to keep that secret, nor do I trust my computer to not spill the secrets somehow through a browser bug or other drive by exploit.
At the same time I totally trust my sim, it's never been more than 10 meters away from me in the last decade or two, hasn't failed me even once and it would be very hard to get it to cough up its secrets without my cooperation (so rubber hose cryptography would still work).
Contrary to www security the phone system seems - from my perspective - at least to have done a half decent job at integrating 2FA when your average website - 20 years later - is still making up its mind about whether or not that might be a useful thing to add.
If you use actual strong passwords then you are an outlier. Most people use basic words like "password" as shown by every password dump in history. Indeed, most people would use the very same weak password they use for their e-mail for their mobile, and this would reduce protection against spoofing versus continuing to use the SIM system.
What we need is a SIM-type system on the web as well, not to bring the broken web password system elsewhere.
Client TLS certificates have been a thing since forever, but browser makers keep it a pain in the ass, and too many "modern" software stacks don't even consider leveraging the decades of infrastructure that would make their job easier. Add to the fact that identity aggregators want to be producers, but rarely allow themselves to be consumers and we get stuck in the hell that is identity online.
Furthermore, any security system that effectively relies on the user possessing more than one computing device (e.g., using your laptop for access to a password manager or email address) fails for the significant and increasing swath of humanity for which their phone is their [first and] only such device.
At the same time I totally trust my sim, it's never been more than 10 meters away from me in the last decade or two, hasn't failed me even once and it would be very hard to get it to cough up its secrets without my cooperation (so rubber hose cryptography would still work).
Contrary to www security the phone system seems - from my perspective - at least to have done a half decent job at integrating 2FA when your average website - 20 years later - is still making up its mind about whether or not that might be a useful thing to add.