SMS: Here is your 30s “MFA” code, I’ll send it to you 40 minutes after you need it.
SMS isn’t 2FA. Its 1.5FA.
SMS isn’t even secure. Mitm, social engineering, straight up theft, and more are all ways around it. It should never have been implemented, but especially not when totp exists.
Sorry, as IT person I have to disagree, app based MFA is just way much easier to maintain instead of HW keys.
Edit: forgot to mention that in Finland companies here has to provide phone if your work require that. In IT I don’t want nothing to do with users personal devices, and it sounds insane to me that in US companies force apps to your personal devices.
App-based TOTP are not phishing resistant and do not require any level of proximity to the login session. The future is more likely passkeys that use device TPMs.