And not only that, most companies that involve SMS in their IDP make it a master key (a single-factor) -- if you can read one text, you can take over the whole account without even having the password. I keep waiting for this to change, but out of all my banks not one supports a proper TOTP.