I agree when SMS 2FA is strictly in addition to a password, and the phone number isn’t used for account recovery (or marketing), it is theoretically no worse than just a password. The problem is it still with great
2FA, and the kind of sites which do SMS 2FA are exactly the ones incompetent enough to turn it into SMS-based password recovery which is worse than no 2FA.
(The other use of SMS which is somewhat legitimate is as a cost gate to create new accounts. Generally creating a new SMS receiving phone number costs someone more than a new email, so if you want to crudely limit creation of large numbers of accounts by individual users, it can be an option.)
(The other use of SMS which is somewhat legitimate is as a cost gate to create new accounts. Generally creating a new SMS receiving phone number costs someone more than a new email, so if you want to crudely limit creation of large numbers of accounts by individual users, it can be an option.)