[dvzk]

SMS 2FA is one thing. Bad, but ineffective. SMS-based account recovery is far worse. Every time a major website asks me for a phone number "in case you lose access to your email account" I freak out internally before ensuring I never enter it.

[causal]

Right. The SMS 2FA risk is overstated IMO - at worst it makes it as insecure as password-only, and at best it creates a roadblock for attackers that can be significant for locked SIMs.

But SMS account recovery is definitely opening the door to attack.