[thinkharderdev]

Secure/not-secure is not a binary distinction. And SMS-based 2fa is still more secure than password alone.

One thing I've become painfully aware of recently is how all MFA is rendered pretty insecure by various "fallback" processes. I recently switch jobs and realized I had a few accounts using my old work phone as SMS 2fa number. In every case it was ridiculously easy to call a CSR and get 2fa disabled from their end.

[DennisP]

Fallback processes are the way SMS can make things worse. Report a lost password, verify yourself with your SIM-swapped SMS, maybe apply a little social engineering. I'd rather have just a strong unique password than use SMS. (And of course I'd much rather have good 2FA.)