For many sites, it’s not really two-factor authentication, it’s a “Reset My Password” feature with a single factor: ownership of the backup email or ownership of the phone number. It’s a huge risk.
Enabling account recovery with SMS alone is terrible, and even companies like Google allow this.
Let’s say a hacker gains access to a phone number. They don’t even know who’s phone number it is. They go to to mail.google.com and click “Find My Account,” they can enter a phone number directly, and then proceed with SMS-based recovery, if it’s enabled.
This means that any time an attacker gains access to a phone number, they can plug it into gmail and fish to see if they can break in to an account. And of course, once you’ve broken into email you’ve broken into everything, because you hit “Reset my account” on everything else.
And telcos have proven to be terrible at guarding the security of phone accounts. Most people can call and sweet-talk their way into resetting phone accounts with no pins, no passwords, no nothing.
That’s why I haven’t set up sms-based account recovery for gmail or anything else.
SMS can be good if it’s really used as the second factor: Vanguard will text me a code if I access my account from a new computer, but only if I’ve already put in my password.