How so?

It's a second factor. It's "something you know", "something you have", and/or "something you are". The username and password is the "something you know" and the sms message is "something you have" (I.e. the phone). There's no need for the second factor to be secret as long as it is single use and time sensitive and is only used as a second factor, not the only factor.

This article was about single factor messages that are the entirety of the login flow, so not about 2FA, but I'm still interested in the concerns for second factor. It is still adding security over a password alone which is the only goal in the 2FA subject.

All of the same reasons for single factor also apply to MFA.

It's also dependent on other services, is a privacy violation, and a giant fucking pain in the ass if you ever want to change your phone number, or like me, you have service issues.

There are many other alternate, more secure, more convenient, more resilient options.

Problem is finding something that is universal that is a "something you have" is difficult to find that almost everyone has. Almost everyone has a cell phone these days, so it's a good option to use as that kind of factor. Email is a second "something you know" factor (I.e. via the password to your email account) and could be the same something if you use the same password. And getting someone to carry yet another device even if it's simple like a Yubikey or something like that can be difficult. And unless biometric devices become universal on computers as well as phones, the "something you are" factor is hard to accomplish universally as well.

So, what options do you think are better that can be a "something you have" for use as a second factor to a password or other type of "something you know" factor?

SMS 2FA is TOTP

You know what I meant.

And if you store passkeys or TOTP generating keys in the cloud, then the factor is no longer "something you have" because anyone can get the keys if they get the password

And anyone can get the keys to your phone number much more easily using the methods detailed in the OP, and what's more there's nothing you can do to prevent it, because you don't control it, and carriers obviously don't care.

That's the thing though, with SMS 2FA you don't have the keys at all, so you can't generate codes

I don't understand what you mean by "keys" here. Nothing in encrypted. You generate codes by initiating the login process.

Plus the issues with SMS not being encrypted only really exists on 2G services

There is no encryption in SMS...

hack the cell provider

They don't usually hack anything except the humans working at the carrier's service provider.

archived message caches aren't useful.

You don't need archived messages. The most common method is sim swap. Where they stay receiving your sms messages.

These are links that you can log in without needing to even know a username, much less a password, associated with that code

Yes but all those same attacks are vulnerabilities mfa as well, as I said previously.

The way TOTP works

Okay I thought you were still talking about SMS.

The messages aren't encrypted at rest but, the connections are. You need a key in the physical sim card to intercept anything

No you do not. Most phones don't even have this anymore.

And sim swap only works if you also have the person's username and password for 2fa

Yes, and for the 3rd time, all the same vulnerabilities exist in MFA.

I was talking about sms. All types of cryptographic code generation uses one or more keys. The sms type just uses one that only the sender holds, it's never shared with anyone which can cause it to be more easily lost.

The sim cards and their cryptographic keys are just built into the phones, and the codes are swapped when you sign up, same concept as renovable sim cards.

And again, it doesn't matter of a sms code is intercepted as much as the entire login method. If you dont have the username and password, what good does an sms code do for anything? The issue in the article is that there's nothing else to know, just the current format of the set of codes being generated by the system. Then you can randomly guess a similar code and get access to a random person's account. Much, much different from the use MFA which is worthless without ALL of the factors, not just a single one.

If you dont have the username and password, what good does an sms code do for anything?

The entire point of MFA is to protect against someone who does have your username and password...

Exactly, so it does that job because it requires an entirely different and complex skill-set to intercept sms messages and you have to do both things now if sms 2FA is in place. With the issue in the article you dont even need to intercept sms meant for a particular user to get access to random users' accounts, thus totally different issue.

I asked, what is better for a second factor than SMS?

so it does that job

It does, really poorly, for the reasons I've listed, and for the reasons in the OP.

With the issue in the article you dont even need to intercept sms meant for a particular user to get access to random users’ accounts, thus totally different issue.

Not a different issue at all. Exact same issue, with lower risk.

I asked, what is better for a second factor than SMS?

I answered this like 12 comments ago.

We're going around in circles now so I'll bid you good night.