The security hole there is using SMS as an account reset, which makes it a one factor solution (see other discussions of this in the thread). The error was in that implementation, not in SMS 2FA in general.
* Applications that take a phone number for one reason (2FA or otherwise) and also use it as a single factor for account reset are less secure in the case of number recyling.
* Applications that do 2FA via SMS do not necessarily do account resets via SMS
* 2FA over SMS is more secure than just having a password to secure an account.
I am sorry your girlfriend had this problem. I would have hoped a business like Facebook would better understand phone number usage. Their penchant for taking as much data as they can and using it however they like clearly burned some of their users here. I hope they have tightened up this hole and that this didn't affect too many people.
Ok, makes sense. Thank you for the kind response and I approve of most of it. I think we will have to agree to disagree on the last * though. I think that statement is very much 'it depends.'
I apologize for going in circles one more time... but by not providing 2FA SMS, it is impossible to f'ck it up or be abused. Right?
I shy away from any rules that say you can’t mess something up simply by avoiding one thing, especially in this sort of case. Consider also that avoiding 2FA by SMS may avoid sim swap or recycle attacks, but it could also eliminate 2FA for users who don’t have a device capable of running an authenticator application (a feature phone).
There’s a lot more at play here, and “just don’t” isn’t a nuanced enough answer to 2FA by SMS.