2FA is mostly security theatre [0], and 2FA that uses SMS is most definitely just masquerading as security theatre in 2017.
Even NIST updated their guidelines [1] last year to discourage using public switched telephone networks (PSTN) to deliver multi-factor authentication tokens:
Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.
Here is the talk from Engel https://media.ccc.de/v/31c3_-_6249_-_en_-_saal_1_-_201412271715_-_ss7_locate_track_manipulate_-_tobias_engel it is really interesting.
“Private” networks that do not employ encryption and validation needs to stop.
Here is another example with the travel agencies networks https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego
2FA is mostly security theatre [0], and 2FA that uses SMS is most definitely just masquerading as security theatre in 2017.
Even NIST updated their guidelines [1] last year to discourage using public switched telephone networks (PSTN) to deliver multi-factor authentication tokens: