The problem isn't "2fa": the problem is services that just use it as your identity. You'll go to sign in to the account and it merely asks for your phone number, to which it sends a login link. Or--even more unacceptable as it makes you THINK the password matters--you'll say you "forgot your password" and it sends a code to your phone number and that code is all that was required to get back into the account. This isn't a second factor: this is replacing your first factor (your password); maybe you could call it an "alternative factor"?

It’s impressive how some of the most successful tech companies in the world get this wrong.

If you give your phone number to Google, they will pressure you to enable SMS MFA and SMS account recovery. So your phone number becomes the weakest link into your account, which is pretty bad considering the state of sim swapping.

Google and other companies should make this clear to users. You should never have both SMS MFA and SMS account recovery enabled. If you must, only ever enable one. Ideally, neither.

They effectively outsourced IdP to telcos for free. That's the part that's wrong.

SIM swapping is a problem in most countries.

And the ones who don’t experience this issue at all, perhaps US could study why that is?

> And the ones who don’t experience this issue at all, perhaps US could study why that is?

You'll have to name a few first.

I know the comment you replied to said "most", but that's not a declaration that any countries have actually solved the issue. It's more that some countries are just too small/isolated to see certain crimes, so it's easier to say "most" than "all".

most of the world does not do SMS 2fa. Most of the world does SMS 1fa. Your phone number is the only authentication. The password doesn't even matter, because it will be reset by anyone with the phone number. It's insanely stupid.