imo it’s fine to offer sms-based 2FA, folks can decide whether or not that’s worth it in the context of their own threat models