I’ve made the argument before and continue to stand by it. SMS as an MFA factor will always be a weak second factor. It’s not really “something you have”. It’s just a time limited second password. This is fine for low security applications. But, if you need higher security, go to smartcard, yubukey or something that must be physically present.