[rdl]

I agree when SMS 2FA is strictly in addition to a password, and the phone number isn’t used for account recovery (or marketing), it is theoretically no worse than just a password. The problem is it still with great 2FA, and the kind of sites which do SMS 2FA are exactly the ones incompetent enough to turn it into SMS-based password recovery which is worse than no 2FA.

(The other use of SMS which is somewhat legitimate is as a cost gate to create new accounts. Generally creating a new SMS receiving phone number costs someone more than a new email, so if you want to crudely limit creation of large numbers of accounts by individual users, it can be an option.)