[r3bl]

I don't give two craps about do the companies have my phone number or not, so I understand their argument.

Phone numbers are something all people have, so using it as a backup if you lose your Yubikey makes sense.

With that said, I do understand that someone using a Yubikey has probably already thought about "what happens if I lose it" and advanced threats against SMS, but if we want them to be used by everyone, this seems like a nice compromise.

[lrvick]

The threats against SMS are not advanced. ESN porting attacks are still -easy- in the US and I have personally had to be a first responder due to an administrator at an employer being hit by it. Suddenly you lose your 2FA backup to everything and an attacker resets all your passwords and takes over all your accounts.

Any aging windows XP machine at a corner cell phone store has permission to port your number.

Even if that gets fixed, in the USA all cell service providers are required to retransmit a message with A5/1 encryption if asked which can be intercepted and decrypted with wireshark, a $20 USB TV tuner, and 2TB of disk space for rainbow tables.

Seriously SMS is downright dangerous as a 2FA method and it is idiotic that vendors support it as a password reset method.

You are better off using nothing at all over SMS to avoid a remote account takeover... or use something that -can't- be remotely stolen like a hardware TOTP/U2F device.

[nukeop]

If you don't care about privacy at all, why would you be interested in a Yubikey? Also, not everyone has or wants to have a mobile phone.

[r3bl]

Saying that I don't care about my privacy at all if I don't care about companies having my phone number is just blatantly false.

There are a lot of things I want to protect (hence, the Yubikey). A phone number isn't one of them.