I’ll be the first one to admit that I jumped the gun a little when Twitter announced that their founder, Jack Dorsey, had his account hijacked.
Initially, no one (including yours truly) had details as to how his account was taken over. However, all fingers pointed at a SMS jacking, which wasn’t terribly far from the truth. The assumption was that this allowed them to use SMS combined with some knowledge of Jack’s password to access the account. That turned out to be inaccurate:
So, yeah, it wasn’t a 2FA hack, but it did show how fragile an account can be when SMS is involved. There’s a reason NIST deprecated SMS as an out-of-band factor of authentication when they updated their 800-63-3 standard.
SMS is still dominant as a method of two-factor authentication because it is one of the lowest barriers to entry, both for the identity provider (IdP) and the user. It is also arguably the least secure method, as Jack Dorsey’s case proved.
That said, if SMS is your only option for 2FA, use it. In the case of Twitter, it is not (much to their credit). You can use both an application based method (such as Microsoft Authenticator, Google, or Authy) and/or a Security Key leveraging FIDO’s Universal 2-Factor protocol (U2F). For account recovery, you can store a backup code in your password manager (or somewhere else).
A key can cost as cheap as $20 and can be used to secure a number of your critical accounts.
Twitter caught a lot of flack on this case, somewhat unfairly. That being said, I do think they should remove SMS as a method for 2FA. Mobile apps for 2FA are pretty ubiquitous and a low barrier to entry for all users. So help your user base out, and turn it off. That wouldn’t have saved Jack, but that is a post for another day.