I disagree that SMS two factor is more secure than a password alone. I have found that once you enter your phone, it is more trusted than your password (meaning it alone can reset your password). A phone number is as secure as the least competent support person at your phone provider.
A password, with email reset is better. My email has two factors of authentication, rather than whatever my phone provider requires as proof.
What you describe isn't 2FA, though. "SMS two factor" fundamentally precludes the idea that the second factor can be used as a primary factor as then it isn't "two factor" it is "one factor".
Yes, it isn't technically an issue when it is purely a second factor. But it almost always ends up being trusted enough that the support team will reset your account with just that info.
This is a MANGA+ problem. I even have my password (and user and IP), but I cant login because google wants me to confirm a phone number I no longer have.
LifeHack: Dont setup a MANGA account with a phone number. Leave phone# for banking and other important logins.
> I have found that once you enter your phone, it is more trusted than your password (meaning it alone can reset your password).
Sure, but my answer to that is simply, don't trust users' SMS more than their password. You should require two factors of authentication to change settings on any authentication factor (i.e. SMS and email to change password, password and email to change SMS).
A password, with email reset is better. My email has two factors of authentication, rather than whatever my phone provider requires as proof.