Can somebody break down the risk of using phone numbers for authentication and two factor authentication.<p>I've seen many pieces of documentation warning against using phone number authentication. For example, [firebase](https://firebase.google.com/docs/auth/web/phone-auth)<p>"Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number."<p>I've heard of Pegasus and other SIM hijacking exploits by using silent SMS. Or SIM swapping where hackers call up the carrier and convince them to handover a phone number?<p>On the other hand WhatsApp and Signal use SMS as their primary authentication method and most apps offer phone numbers for 2FA.<p>What is the real world risk of these exploits? Have manufacturers improved their security around this? How easy are these exploits to perform? How do they work?<p>Note: Many people complain about the UX of using phone numbers due to losing or changing phone numbers but that's not a consideration here.