I think the main contention here is that I'd say users should just do nothing. SMS 2FA sucks and it's going to be a horrible tech debt that we're paying off for decades. We have better alternatives that, for a huge number of users, are perfectly acceptable. For everyone else, yes, they will have to use stronger passwords.
I really don't believe that there's some huge cross section of users who simultaneously:
a) Will go through the hassle of enabling and using SMS 2FA
b) Won't go through the hassle of using another 2FA method - email, totp, any smart phone for u2f, or a dedicated token
c) Won't use relatively unique passwords for high value websites, password manager or not
IMO SMS 2FA is, however, likely convincing users that they are safer than they truly are, and gives companies an excuse to do what's easy and not what's safe.
I mean, some banks even hand out hardware tokens to customers. I'd suggest that instead of SMS 2FA being treated as acceptable we add more pressure to improve the other systems, lower their prices, etc. Hardware keys should be effectively free.
I really don't believe that there's some huge cross section of users who simultaneously:
a) Will go through the hassle of enabling and using SMS 2FA
b) Won't go through the hassle of using another 2FA method - email, totp, any smart phone for u2f, or a dedicated token
c) Won't use relatively unique passwords for high value websites, password manager or not
IMO SMS 2FA is, however, likely convincing users that they are safer than they truly are, and gives companies an excuse to do what's easy and not what's safe.
I mean, some banks even hand out hardware tokens to customers. I'd suggest that instead of SMS 2FA being treated as acceptable we add more pressure to improve the other systems, lower their prices, etc. Hardware keys should be effectively free.