SMS 2FA is TOTP, just the code is sent via SMS and the key is never shared with the user. But the issue with those apps seems to be even more problematic than SMS from the issues mentioned, e.g. changing phone numbers is not as common as changing phones or other catastrophic events that might cause the keys to get lost. And if you store passkeys or TOTP generating keys in the cloud, then the factor is no longer “something you have” because anyone can get the keys if they get the password to the thing storing the keys. SMS based TOTP leaves the keys only with the site you’re logging into and only the time sensitive TOTP codes are ever sent out. And although the lifetime period for sms TOTP has to be longer, they are additionally expired on single use (assuming it’s implemented properly).
And if you store passkeys or TOTP generating keys in the cloud, then the factor is no longer “something you have” because anyone can get the keys if they get the password
And anyone can get the keys to your phone number much more easily using the methods detailed in the OP, and what’s more there’s no way to prevent it.
SMS 2FA is TOTP, just the code is sent via SMS and the key is never shared with the user. But the issue with those apps seems to be even more problematic than SMS from the issues mentioned, e.g. changing phone numbers is not as common as changing phones or other catastrophic events that might cause the keys to get lost. And if you store passkeys or TOTP generating keys in the cloud, then the factor is no longer “something you have” because anyone can get the keys if they get the password to the thing storing the keys. SMS based TOTP leaves the keys only with the site you’re logging into and only the time sensitive TOTP codes are ever sent out. And although the lifetime period for sms TOTP has to be longer, they are additionally expired on single use (assuming it’s implemented properly).
You know what I meant.
And anyone can get the keys to your phone number much more easily using the methods detailed in the OP, and what’s more there’s no way to prevent it.