[RKearney]

> Why am I being downvoted?

I can't speak for all of those who downvoted you, but the comment you responded to mentioned how SMS based 2FA would be better than what they do today (i.e. nothing).

This is a fact. SMS 2FA, regardless of how bad it is, is still another hurdle an attacker would have to overcome. An additional hurdle, no matter how small, is still better than nothing at all. Therefore the assertion that SMS 2FA would be better than what they do today is simply an irrefutable fact.

If you left off the "Oh god please no." portion of your comment, you may not have been downvoted.

[tedunangst]

SMS 2FA includes the negative energy of "we have this, so we don't need TOTP or something better." It may well be a net negative.

The corollary to don't let the perfect be the enemy of the good is don't let the barely better be the enemy of the substantially better.

[Thorrez]

Generally companies treat the SMS 2FA as an additional check, so it's a security improvement. But some companies also then allow it to be used for password recovery, which is generally a security regression. Also multiple companies have used SMS 2FA numbers for ad targeting.

https://news.ycombinator.com/item?id=21197553