What do you mean trivial to bypass? If I have an account secured with a password and with Duo, then I give you my password, can you get into my account? How?
A "sim hijacking" attack is where an attacker calls your phone company and pretends to be you. They claim to have lost their phone, and get a new sim card issued to them with your phone number. when they put the sim in their phone, the duo authentication message goes to their phone instead of yours.
any 2-factor system based on the phone system is no more secure than your phone company's willingness to give away your phone number, and they're usually pretty willing. I actually had this happen to me, in a benign way: my employer started paying my phone bill, they transfered my phone number from my personal plan on one carrier to the company plan with a different carrier. Somebody at the office just handed me a new sim card and told me my old SIM didn't work anymore - it required no interaction on my part to transfer my number to a new plan with a new company. that's apparently just normal procedure.
i worked at a voip company and we were once slammed by another voip company who stole a block of 1500 of our phone numbers. It took 3 days to get them back.
POTS telephones are a mess and should just be deprecated.
any 2-factor system based on the phone system is no more secure than your phone company's willingness to give away your phone number, and they're usually pretty willing. I actually had this happen to me, in a benign way: my employer started paying my phone bill, they transfered my phone number from my personal plan on one carrier to the company plan with a different carrier. Somebody at the office just handed me a new sim card and told me my old SIM didn't work anymore - it required no interaction on my part to transfer my number to a new plan with a new company. that's apparently just normal procedure.