#SMS #MFA is disliked by a lot of tech professionals and companies because it is susceptible to a variety of attacks, especially targeted attacks.
BUT it remains one of the best and easiest options for people who are difficult to onboard to device-based MFA and (in my personal experience) a good stepping stone to other device-based MFA methods.
Let's look at Google's 2019 research ino the subject. https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ab2bedf04f6d4ff60c59b502809c2f151373de54.pdf
I have tried, for example, to onboard people with security keys and they _keep losing them_ or _disabling them_.
They don't have the ability to plug it into their phone, they forgot to charge it, they left it at home as our society goes more and more keyless, it fell out of their wallet, it stopped working because fairies, it got wet…
That ease of use is a _huge_ factor in onboarding and keeping people using them.
Also while SMS MFA is not perfect by a long shot and is especially susceptible to spear phishing it works _pretty well_.
Is it as good as other options? Heck no!
But would I describe it as "terrible" the way some commentators do? Eh, not really. Preventing 76% of targeted attacks and 100% of bot attacks is certainly not nothing.
#TOTP tokens would seem to be easy enough—you already have your phone on you and it is usually in an app—but I can't tell you the number of people I've seen run into challenges when they change phones. Especially if the previous phone was lost or destroyed.
They don't remember their authy password. They never printed their backup keys. Google Authenticator doesn't transfer between devices. They forgot to transfer the number.
SMS just… works in these situations.
Completely anecdotally (in a thread with a lot of anecdata already) I've also found it easier to _upgrade_ people from #SMS to Some Other Method™ in the future.
Once you get their foot in the door and they get into the habit of using #MFA, it is easier to get them to add other methods and thus shrink their attack surface.
Maybe they leave SMS as a backup for a while until they are confident, that's still a huge win: the attack surface of SMS as a backup is smaller than daily use.
Does any of this say that #SMS #MFA is _better from a security standpoint_?
For an individual, _hell no_. Especially if you are in a high profile situation (e.g., jack on twitter), have privileged access to a company, or would otherwise be a more tempting target to a dedicated attacker.
But is it "terrible"?
I'd argue that _if you factor in usability_ the answer to that is a resounding **no**.
So back to #Twitter.
Compromising #twitter accounts, except for the highest profile situations or situations where they are using it for OAuth into something more critical, is mostly going to look like a bot attack or a general phishing attack.
Preventing 95+% of these sorts of things is incredibly valuable.
Turning that off is _unconscionable_.
OTOH, f you truly believe that it is terrible, _leaving it enabled for your highest engagement accounts is not good either_.