Do not underestimate the capabilities of a non-technical user wanting to be helpful giving another non-technical user seemingly authoritative advice on an Internet message board. (If it is not obvious, I am not speaking hypothetically here; I have watched this happen.)
And if you think "Gah, only an idiot would...", read HN threads about law sometime.
It really depends. Not so long ago the humble bundle forced 2FA on me and I had the choice of forfeit my 100 games library or set 2FA. I don't care at all that steam gives them heat about how some steam keys are used, and I care enough about my phone number not to give it away.
Then there was the time when I was traveling and verification SMS would not reach me because my carrier plan does not include receiving SMS internationally.
Then there was a few other times and cases where not using your phone (provided you have one and carrier plan) but a public text service instead.
To me phone based 2FA is mostly a scheme to collect users' phone numbers as there were in the past to collect email addresses. It introduces a pretty serious point of failure by relying on mobile number (no battery, no signal, no phone, changed number, prepaid card, etc.) while only being helpful in fringe cases such as when my password has been stolen.
Moreover it promotes bad security practices instead of fixing security issues, just slap some 2FA on top of whatever exists and now it is secure.
Then there is the question of how do I change my associated number when I change phone number, then what prevents a social engineering pro from changing the number too ?
I'm not sure using a publicly readable text service is so wrong, it mitigates the relying on phone point of failure, protects your privacy better, someone else reading the code may not be a problem as the code alone is useless.
As usual this really depends on what is the threat model you trying to protect from. Neither option will be able to protect you from a nation state targeted attack.
Which means it will happen most likely. Even techies make stupid mistakes, such as me not changing my Skype password the other day, and had the account breeched. Sigh
I checked the article to see if I could do exactly that. Why couldn't the second factor be another web service? Password resets shouldn't be possible with the second factor alone anyway. What's the use-case for a publicly readable text service? I'm not familiar with any such services.
The use case is anything that requires you to provide a number to receive a confirmation text. From registration to a personal data hungry website (facebook, google, etc.) to two factor authentication.
At some point in the past collecting user email addresses became the standard and using disposable email addresses was the answer. More recently the trend seems to have upped to collecting phone numbers to which the answer is those public text services.
What's the use-case for a publicly readable text service?
Abuse, for one -- many services use "prove you control a phone number" as a first-pass filter for "An action which is easy to do once but hard to do 100,000 times" to authorize people to do a wide variety of things.
Apologies. I'm not a native English speaker. Still having a problem imagining in what sense an SMS service might be "publicly available", and how public availability helps in proving control of a phone number :-$
Have you visited one ? https://smsreceivefree.com/ for example. you will understand what publicly available means: they provide a phone number, you use it for whatever and check the site page where all text sent to this number are displayed.
