[oefrha]

> they would both have to both get my password, and do some kind of social engineering attack to get access to my messages.

You must have not followed any SIM-jacking story, which is the point of this entire thread.

1. They don’t need your password because their goal is a password reset through your recovery phone, or recovery email address “secured” by a recovery phone.

2. They do social engineering on telecom employees (or outright buy them out for a pittance) to not only get access to your messages, but take over your entire link to your cellular network. You’re not involved in any of this.

TL;DR: the second factor makes you less secure, not more. It’s a downgrade from a secure password. It makes you defenseless.

[GhostVII]

As I said in my first comment, a recovery numbers turns it from 2FA into single factor. Obviously that is less secure, since a phone number is generally less secure than a password. I'm talking about true 2FA over SMS.

[tylerhou]

Recovery numbers should be stored somewhere safe, like your house. If your attackers have access to your house they could beat you up with a baseball bat instead of going through the trouble with finding your recovery codes and phishing your passwords.

[scottlocklin]

Recovery numbers are recovery telephone numbers. If they sim-swap you, they have your telephone number. The end. Virtually all email accounts and online services tie themselves to your damn telephone number, and there are tens of thousands of people in each phone companies who can move your number.

[tylerhou]

Oh, I thought you meant backup 2FA codes:

https://support.google.com/accounts/answer/1187538