Now I only need to find out on which ones of my 200+ accounts this feature is enabled… Honestly, it would be easier for me if the EU just made it illegal, forcing services to disable it for me.
Why? It's not "secure" but it's more secure than nothing.
The paper mentions some websites that claim to use SMS 2FA, but actually use SMS as a single factor for password resey. While that's really bad I think the solution is to fix those broken implementations not to stop using SMS 2FA everywhere in favor of using nothing.
