I think the more urgent thing is to not use the social security number both as the ultimate secret, and also as a number you must give to hundreds of people.
That. I'm in favor of stopping this societal wave of making phone numbers the equivalent of digital SSNs (they're critical for digital life, everyone wants them, nothing good happens when you hand them out that freely).
Well if you fine companies for using SMS for security… you should put the CEO in jail for authenticating with social security number… if we go by just the number of people who get affected by skimmed SMS and by stolen ssn.
Don’t forget the final nail in the coffin, which completes the trifecta: it’s entirely immutable - damage radius = infinite.