[robbya]

Edit: looking again, I see what I missed.

> The only real defense is to never associate your phone number with personal accounts which even then is often not possible.

Yes that's exactly right. If I don't trust a website to not use my phone number as the sole factor for recovery, then I should not use SMS 2FA on that site and I should not add my phone number to any part of my profile. If I know (how?) that the website won't use SMS for recovery, then SMS 2FA is better than nothing.

As a website owner, if I offer SMS 2FA auth and use SMS in isolation for recovery, then I'd want to stop using SMS for recovery. After that, removing SMS 2FA and not offering any second factor would weaken my security. I.E. SMS 2FA is weak but better than nothing. SMS single factor recovery is terrible, fix that ASAP.

[colechristensen]

It's one of those things which, technically, can be done correctly. However, it isn't. It provides an incentive to do bad security which is bad for providers because their security will have a tendency to devolve into bad-factor recovery and it's bad for users because it makes them comfortable with a security factor which is easily defeated.

It might be good for your use case, but systematically SMS is bad for security in a global society sense.