@b_t_walsh @SwiftOnSecurity Yup, agreed, although if you're going to offer SMS 2FA you also have to treat it as a weaker indicator if you get an account recovery request (I can't remember my password, if you send me a code, I'll tell you it and you can reset the pwd).