> Some form of trust that can be bootstrapped again from scratch.
This is not using it as a second factor. It is using it as the only factor.
Having SMS as the only factor is not purely additive. As such it can (and obviously does) reduce security.
Account recovery is hard, SMS is quite usable there, but way to insecure to be the only basis for bootstrapping account recovery.
I don't really understand why you think I'm advocating for SMS as the only factor, when I very clearly wrote the exact opposite.
Let's say that you remember your password, but your house just burned down. You cannot replace the U2F keys and backup codes that were lost in flames. But you almost certainly can bootstrap your real life identity far enough to get a replacement SIM.
Which, in combination with your password, should be enough to get your digital identity back.
Except in practice, most providers (even those that should know better, like Google) allow use of SMS, ostensibly set up as a “second factor,” to be used for account recovery without knowing the password. Making it, in practice, 1FA.
Confusion about the word bootstrapping. I read "bootstrapping trust" as regaining trust based solely on SMS.
But indeed, sms as a second factor is much easier to recover in catastrophic situations than some other second factors. That is a fair point, and an advantage of sms over other common second factors.
This is not using it as a second factor. It is using it as the only factor. Having SMS as the only factor is not purely additive. As such it can (and obviously does) reduce security.
Account recovery is hard, SMS is quite usable there, but way to insecure to be the only basis for bootstrapping account recovery.