Absolutes are the wrong language. It adds a significant burden (steal the user's phone account), which if nothing else requires individual attention, which drastically changes the economics of an attack vs, say, mass automated attacks using leaked passwords checking for re-use. Sure, you and I might have unique randomly generated passwords for our accounts, but not everyone is so careful, and SMS verification can and does save many an account.
Absolutes are the wrong language. It adds a significant burden (steal the user's phone account), which if nothing else requires individual attention, which drastically changes the economics of an attack vs, say, mass automated attacks using leaked passwords checking for re-use. Sure, you and I might have unique randomly generated passwords for our accounts, but not everyone is so careful, and SMS verification can and does save many an account.