I firmly want it to be legislated away, but for a slightly different reason. Specifically, you should never be required to disclose a phone number to a business that doesn't absolutely need your phone number to directly render services.
I was eating at a restaurant once -- IN PERSON -- and the fucking web interface they force everyone to use to order food wanted a SMS 2FA. WTF? No. I don't require your waitress to disclose her phone number to order food. And in return, you don't ask for mine. Just take my food order, swipe my credit card, and bring the food to the table, there is no need to disclose a phone number.
I think the ideal law should be: Any business that wants 2FA MUST support at least U2F hardware keys. It's okay to also offer SMS but not okay to offer only SMS.
I was eating at a restaurant once -- IN PERSON -- and the fucking web interface they force everyone to use to order food wanted a SMS 2FA. WTF? No. I don't require your waitress to disclose her phone number to order food. And in return, you don't ask for mine. Just take my food order, swipe my credit card, and bring the food to the table, there is no need to disclose a phone number.
I think the ideal law should be: Any business that wants 2FA MUST support at least U2F hardware keys. It's okay to also offer SMS but not okay to offer only SMS.