Many sites do allow logging in with just an SMS OTP, no password required (even if you’ve set a password for the account). If it absolutely must be used (it shouldn’t), then SMS OTP should be a second factor, not the only factor.

> Having password + SMS OTP is strictly better, regardless of how shitty SMS OTP might be.

Unfortunately one can claim to "forgot my password" and use SMS OTP to reset it. Now it becomes a single factor authentication with a compromised phone.

Password + SMS OTP is strictly worse than a password. At least you cannot SIM swap your password.