> I don't believe this is true. If I have your SMS I am considerably more likely to be able to phish a recovery, even if recovery also involves something else.
So it's better to not consider that information at all?
What is better? (1) Requiring a password to login or (2) Requiring a password and a code sent via SMS?
The problem you're describing is that services accept SMS in leu of other forms of verification, such as an actual password. Personally, I would very much like it if I could turn off any and all forms of "I forgot my password" flows. There should at minimum be a one-week waiting period or similar.
> So it's better to not consider that information at all?
Exactly
> What is better? (1) Requiring a password to login or (2) Requiring a password and a code sent via SMS?
They're equivalent in my mind - SMS is such a weak 2FA mechanism, and it's so easy to get wrong and have it decrease your overall security, any benefit is lost. Rather than pushing SMS because it's what we have we should make greater efforts to leverage technology that we know is considerably better in every regard except availability today - IMO that is the problem to solve.
So it's better to not consider that information at all?
What is better? (1) Requiring a password to login or (2) Requiring a password and a code sent via SMS?
The problem you're describing is that services accept SMS in leu of other forms of verification, such as an actual password. Personally, I would very much like it if I could turn off any and all forms of "I forgot my password" flows. There should at minimum be a one-week waiting period or similar.