Some companies main users that they want to protect are customers who consider security to be having one shared password written on the noticeboard in the office. Sadly, sms is just an easier sell to a lot of users, and even getting them to do that can be a nightmare.
As for why proper TOTP isn’t supported as well… the cynic in me gives you the answer “the auditor required we implement 2fa, we have implemented sms 2fa, now go implement shiny feature x instead of wasting time” is probably a common corporate response.
Some companies main users that they want to protect are customers who consider security to be having one shared password written on the noticeboard in the office. Sadly, sms is just an easier sell to a lot of users, and even getting them to do that can be a nightmare.
As for why proper TOTP isn’t supported as well… the cynic in me gives you the answer “the auditor required we implement 2fa, we have implemented sms 2fa, now go implement shiny feature x instead of wasting time” is probably a common corporate response.