True, but as long as the user does realize this, and they still keep using the very same high quality password, it is better than that very password without 2FA over SMS.