Isn't 2fa by sms bad though? You hear a new case almost every week of someone whose telco was socially engineered to gain access to their phone number linked 2fa/account recovery.
Bad is relative, it is bad compared to other more secure methods. But if you can't guarantee that your users have a smartphone, SMS is still a needed option.
