There are lots of patchy solutions, but the issue we had was that we ultimately needed SMS and calls, inbound and outbound. 2FA only got us so far and wasn't usually the problem, more common was needing to call a company from the number on our account, or receive a callback from the company's support team.
Our ops team had a physical phone for this, but it lived in a desk drawer somewhere and that didn't scale as the team grew and became distributed.
I think what Twilio or others could do is offer non-VOIP, genuine, etc, numbers on the condition that the company and use-case is vetted and the usage is audited. A little like getting an EV SSL certificate, you'd give valid points of contact, undergo basic vetting of the company, perhaps even limit the count of numbers you can contact and require human review for increasing that quota.
Maybe this would be too hard, arguably EV SSL failed because it wasn't strict enough. Or maybe I'm misunderstanding why VOIP/automated numbers are so easy to identify, I assumed it was because they were higher risk in this way and that this sort of auditing would circumvent the need for that, but maybe there's another reason.
Our ops team had a physical phone for this, but it lived in a desk drawer somewhere and that didn't scale as the team grew and became distributed.
I think what Twilio or others could do is offer non-VOIP, genuine, etc, numbers on the condition that the company and use-case is vetted and the usage is audited. A little like getting an EV SSL certificate, you'd give valid points of contact, undergo basic vetting of the company, perhaps even limit the count of numbers you can contact and require human review for increasing that quota.
Maybe this would be too hard, arguably EV SSL failed because it wasn't strict enough. Or maybe I'm misunderstanding why VOIP/automated numbers are so easy to identify, I assumed it was because they were higher risk in this way and that this sort of auditing would circumvent the need for that, but maybe there's another reason.