[rando444]

SMS 2FA is insecure because companies implement it in a way that it becomes one-factor.

Forgot your password - reset your password - get an SMS

When there is no second factor involved, it's not 2FA despite people calling it that.

[yabadabadoes]

I agree the problem is that implementation of a backup for 1FA ends up coming back to the phone. But often the target service has no certainty of which mechanisms are going where.

They send to your email.. They use TOTP. They use Oauth, etc, etc. What other things accounts go back to either your SIM or someone stealing your phone, SIM and all?

Even U2F will fall down this hole soon since everyone wants to implement it on phones! Will the attestation certs for phones say multipurpose device that is probably involved in other factors?