So is an authenticator app.

Also, SMS isn't, because attackers often get access to the SMS network itself (see e.g. Salt Typhoon) in which case they can do automatic mass account stealing because they can see all the totally unencrypted SMS codes.

The security of SMS really is that bad.

Not to mention LTT showed the ability to spoof and steal SMS directly, on specific targets using the international phone system trust, something that is effectively impossible to block due to the inherient trust built into cell companies at the moment.

> attackers often get access to the SMS network itself (see e.g. Salt Typhoon)

"Often"?

Bit of an understatement, should be "always have access" if state attackers are included in the threat model.

To be fair, there are also non-state attackers that can mass intercept SMS.