[UncleMeat]

SIM-swap is a real thing, but it has an unreasonably large amount of mindshare in discussions about login security in non-security communities. Phishing is a gazillion times more common because it actually scales. Both SMS and TOTP are equally weak to phishing, yet people frequently shit on services for using SMS and not TOTP.

SMS has weaknesses. Especially if you are a particularly high-interest target. But the benefit of "everybody already has a phone" is immense and the true recovery mechanism for "oh shit I dropped my phone in the toilet" is valuable. Something like a yubikey is the complete solution to login problems that don't involve malware or some security vuln, but they are an extra thing that people need to buy so the pathway to "everybody uses a yubikey" is a mess.

Both Android and iPhone are now offering similar functionality though phones, which mitigates the "you need to buy a new thing" problem, though it is harder to set up an effective backup here.