Maybe organizations in charge of cybersecurity compliance frameworks? We'd see a lot of companies drop SMS 2FA pretty quickly if it became a requirement to maintain their SOC compliance.
I don't think we need a complete sweeping ban to get it to largely fall out of use, just a critical mass to drop it so it's no longer defensible as an industry standard
