[arjie]

How is that two factor any more? You've broken the security model. You now have only a knowledge factor, no possession factor.

The whole point of two-factor authentication is to make it so you need two things of two different types. You reduced this problem to having two passwords (two things of the same type).

[drdaeman]

Do you mean there is any significant difference between an email and SMS accounts?

[gcommer]

I think that depends on the adversary. Against the NSA there might not be a major difference (depending on your email provider), but SMS is probably more secure in the typical case, as it is much more common for your run of the mill script kiddie/phisher/etc to get access to someone's email than their phone.

[drdaeman]

At least some mobile operators have "SMS archive" option, that can be enabled and accessible from self-service site. It requires some time to set up, but attacker with sufficient time, knowledge and patience may pull the attack relatively easily. No need for NSA-grade adversary.

(Even worse, until relatively recently they had used numeric passwords (those had to be set from a phone, using DTMF tone dial). This had changed only 3 or maybe 4 years ago. Wonder whenever that change was 2FA-related. :) )

So I'm uncertain whenever SMS is more secure.