If you have strong generated passwords that are different for each system and you use password manager then you would not need 2FA at all. Well maybe if it is for system that stores your password in plain text but who would be stupid to keep user password in plain text and slap 2FA on top of it.
U2F and 2FA came to life just because people are bad at making passwords and remembering them.
Making non technical people to use password manager with generating passwords for each page is still hard.
Making non technical people use SMS as a second factor is easy.
Making non technical people use tokens is still hard.
There is a lot of value in having SMS 2FA still, yes you can phish it or you can hijack the number. But that is argument like: "there is no point in having any security at all because if you install malware on your computer you will get hacked".
Yes SMS alone is not going to save you, but people have phones and understand that they type code that comes via SMS to the phone number they provided when registering. Barrier to entry for it is so trivial that I think it still has value.
Barrier to entry to take over someones phone is not high but random kid on the street is not going to do that just like random kid that can find your email + de-hashed password from database dumps.
If you have someone who is motivated to get you then probably given enough time they will get you anyway.
So take into account what that SMS 2FA prevents and what issues it is solving. Don't just throw it away.
Hahahaha you would be surprised my current employer is thinking of introducing 2FA and yeah every pass is stored in plain text. I've been trying to make them change this for years, also the passwords are limited to 20 chars yeah.... security is shit here
It might be confusing but that was account recovery attack.
For account recovery there is no "password" as thieves just made their own password while having victim phone number.
So phone number as a password recovery option is not secure without any additional checks. Not 2FA because with this attack there was no second factor.
U2F and 2FA came to life just because people are bad at making passwords and remembering them.
Making non technical people to use password manager with generating passwords for each page is still hard.
Making non technical people use SMS as a second factor is easy.
Making non technical people use tokens is still hard.
There is a lot of value in having SMS 2FA still, yes you can phish it or you can hijack the number. But that is argument like: "there is no point in having any security at all because if you install malware on your computer you will get hacked".
Yes SMS alone is not going to save you, but people have phones and understand that they type code that comes via SMS to the phone number they provided when registering. Barrier to entry for it is so trivial that I think it still has value.
Barrier to entry to take over someones phone is not high but random kid on the street is not going to do that just like random kid that can find your email + de-hashed password from database dumps.
If you have someone who is motivated to get you then probably given enough time they will get you anyway.
So take into account what that SMS 2FA prevents and what issues it is solving. Don't just throw it away.