[idlewords]

Sorry about that, I'm updating that FAQ next.

The answer is that SMS is not a secure second factor (it's easy to hijack and eavesdrop on), and in some cases when you give a service a phone number, it becomes possible to take over the account with just control of the phone number.

[avenoir]

There was an article floating around on HN a while ago about someone basically stating that an attacker was able to call their cellphone provider and use social engineering tactics to transfer their account to their own number. Ultimately circumventing second factor auth via SMS and gaining access to their Google account. I believe it was from an actual Google employee. So they were able to recover the account quickly.

[cyphar]

And some services that do phone calls can be tricked to save to voicemail (which was the case for Google, Facebook and various others previously): https://shubs.io/how-i-bypassed-2-factor-authentication-on-g...

[joshgel]

Google now offers "Google prompt" which sends a push notification to your phone through the google app. How secure is this method?

[idlewords]

Much better than SMS, but not as good as a security key, because if you can fool someone into logging in to an impostor site, you can get their email account.

It would be a reasonable backup in place of (or in addition to) Google Authenticator.

[mmahemoff]

Which is why password+SMS is sometimes called "1.5 factor auth"