I think SMS 2FA is worse than no 2FA, given that you can often reset a password using SMS as verification. If your phone number is hijacked, you're owned completely. Without SMS 2FA, you have to reset your password via email, or resort to contacting the company directly.
But there needs to be a scalable way to let users reset passwords. Users will forget passwords, as anyone who has ever worked tier one support can verify.
Requiring a physical, government-issued ID to be presented at an office can work for some scenarios, but not for the vast majority of online services.
Too bad this is a sub-comment that can't be voted to the top of the page. Very insightful, and a way of looking at the situation that I'm disappointed to say didn't occur to me until reading your comment.
