It costs zero dollars and takes the same amount of time as the SMS verification would on a regular phone. If the sign-up site is continuously vigilant enough to find and prohibit every number on every one of these sites (not so cheap to implement) then there are sites that give you immediate access to a non-published number for $5. Even this is not "enormous resources" by any means.
But the even bigger implementation cost is that there are many people who don't have a personal cell phone number to receive SMS, and you're either disenfranchising them or pushing them to use sites like that which obviously allow anybody to see the verification codes sent to the phone number which is now associated with their account.
> A significant amount of online properties use SMS for 2FA and authentication
Using SMS for optional 2FA is a mediocre security practice but is mostly harmless (because people can opt out; though it still makes it possible to lose your account if you use it, your number changes and then the site requires you to authenticate with it).
Using it for mandatory 2FA has the problems discussed.
But I also want to point out that actual major sites exist that use SMS as the sole and mandatory authentication factor, and they are very powerfully incompetent.
https://receive-smss.com/
It costs zero dollars and takes the same amount of time as the SMS verification would on a regular phone. If the sign-up site is continuously vigilant enough to find and prohibit every number on every one of these sites (not so cheap to implement) then there are sites that give you immediate access to a non-published number for $5. Even this is not "enormous resources" by any means.
But the even bigger implementation cost is that there are many people who don't have a personal cell phone number to receive SMS, and you're either disenfranchising them or pushing them to use sites like that which obviously allow anybody to see the verification codes sent to the phone number which is now associated with their account.
> A significant amount of online properties use SMS for 2FA and authentication
Using SMS for optional 2FA is a mediocre security practice but is mostly harmless (because people can opt out; though it still makes it possible to lose your account if you use it, your number changes and then the site requires you to authenticate with it).
Using it for mandatory 2FA has the problems discussed.
But I also want to point out that actual major sites exist that use SMS as the sole and mandatory authentication factor, and they are very powerfully incompetent.