[t09i209ba893]

>But SMS is better security than no 2FA at all

Maybe for some users, but to many like me, this is an annoying assumption for a service provider to make. If I'm forced into adding an insecure method like SMS, I feel that it needlessly weakens my overall security posture. With effort and diligence, it's possible to manage a single strong password securely, but there is absolutely nothing I can do to use SMS securely, so the degree of security I can aim for is limited.

I think the right approach should be to allow the user to opt into such insecure methods, but to never force them to lower accept a lower standard.

[kevincox]

Yes. SMS is completely about raising the insecure people to some base level of difficulty to compromise. This is often at the cost of more secure individuals.

The problem is that you can't force users to use a decently strong unique password. You can force them to set up SMS 2FA (with very minor exceptions of people without SMS access). Moving the base bar from credential stuffing to SIM swapping is a huge upgrade for big services.

[hobobaggins]

> you can't force users to use a decently strong unique password

unique is the key word. you can certainly force users to use a decently strong password, but not keep them from using the same password at every other website.

[kerkeslager]

Sure. To be clear, I'm not saying "force users to use SMS". The ideal solution for most (not all) situations, in my opinion, is to require a password and one of HOTP|SMS as a second factor.