In the article, it looks like the code via SMS was never required. Uber sent it out, then allowed a login without it. I've seen something like this before, where companies over two factor auth via SMS, but also allow SMS as a password reset channel - which means it's not two factor anymore.'
But in general, you're right. The problem with SMS as a second factor isn't that it's not two-factor, it's the ease of compromising both factors at once. Hijacking phone numbers is disturbingly easy, and smartphones mean that you can steal one physical token and get both email access (for password reset) and SMS access (for the code).
But in general, you're right. The problem with SMS as a second factor isn't that it's not two-factor, it's the ease of compromising both factors at once. Hijacking phone numbers is disturbingly easy, and smartphones mean that you can steal one physical token and get both email access (for password reset) and SMS access (for the code).