And they're sending the SMS auth token before the password is validated, which opens them up to either spamming a phone's text msgs or Denial of Service if they (or the carrier) impose rate limiting.
TOTP should always be used before SMS auth, and SMS auth should always be used in addition to an offline secret (separate from a password). It's just too easy to abuse the unencrypted, open-network nature of SMS.
TOTP should always be used before SMS auth, and SMS auth should always be used in addition to an offline secret (separate from a password). It's just too easy to abuse the unencrypted, open-network nature of SMS.