Last I checked, even the US federal government required SMS 2FA to get into your Social Security account.
But the problem is also only allowing SMS 2FA. Why not allow both and let people choose TOTP?
I have a feeling SMS 2FA is used as a cheap way to implement a rough social credit score. If you have a stable life and follow the rules, then you have continuous access to the same phone number. And only allowing SMS 2FA allows you to only deal with this population, and ignore populations that might have higher proportions of “costly” customers.
But the problem is also only allowing SMS 2FA. Why not allow both and let people choose TOTP?
I have a feeling SMS 2FA is used as a cheap way to implement a rough social credit score. If you have a stable life and follow the rules, then you have continuous access to the same phone number. And only allowing SMS 2FA allows you to only deal with this population, and ignore populations that might have higher proportions of “costly” customers.