Have they? It seems the trend is to support Authenticator apps (i.e. one-time scan a QR code to a TOTP URL that I store on my own device). I haven't seen too many products that support TOTP 2FA but require SMS 2FA.
Some companies do require a phone number to setup an account (because it's the best proxy we have for "one per real person" or "expensive for one person to get many of"), but if they're competent then you can remove it as a 2FA option if you replace it with a TOTP code. [0]
If you ask me, it should be illegal to require SMS 2FA without an opt-out to TOTP. Perhaps relatedly, I'm also curious about the percentage of Twilio revenue from 2FA messages.
[0] RANT: Google, in typically creepy fashion, makes it difficult to enable TOTP without first either providing a phone number, or downloading a Google app to "tap to login!" on your phone. But they do allow you to setup a hardware token, so I found a workaround [1] to configure TOTP without providing a phone number, which is (perhaps ironically) to use Chrome DevTools to create a virtualized WebAuthn device and add it as a hardware token 2FA option. Then it's possible to setup TOTP and remove the virtualized device, leaving you with only TOTP 2FA and no com.google apps begging you for entitlements on your phone.
> It seems the trend is to support Authenticator apps
Oh, I wish that were true for financial institutions. But for my sample size of 3 credit unions, 1 large bank, and 1 brokerage, only one (small CU) supports TOTP. All the others have SMS as the only, mandatory 2FA. It drives me crazy how backwards that is.
Some companies do require a phone number to setup an account (because it's the best proxy we have for "one per real person" or "expensive for one person to get many of"), but if they're competent then you can remove it as a 2FA option if you replace it with a TOTP code. [0]
If you ask me, it should be illegal to require SMS 2FA without an opt-out to TOTP. Perhaps relatedly, I'm also curious about the percentage of Twilio revenue from 2FA messages.
[0] RANT: Google, in typically creepy fashion, makes it difficult to enable TOTP without first either providing a phone number, or downloading a Google app to "tap to login!" on your phone. But they do allow you to setup a hardware token, so I found a workaround [1] to configure TOTP without providing a phone number, which is (perhaps ironically) to use Chrome DevTools to create a virtualized WebAuthn device and add it as a hardware token 2FA option. Then it's possible to setup TOTP and remove the virtualized device, leaving you with only TOTP 2FA and no com.google apps begging you for entitlements on your phone.
[1] https://superuser.com/a/1759306