SMS has poor end to end security. It's not end to end encrypted, and there's no guarantee of effective transport encryption, and the parties involved may not be trusted.<p>In the common case, the sender will submit an SMS to an aggregator. The aggregator may send it on to the carrier's gateway, or another aggregator or a 'grey route'. Grey routes are usually things like gsm modems or automated phones with consumer oriented service plans. The carrier's gateway may be operated by a third party, and is hooked up to the internal messaging system.<p>Generally speaking, all of these points log message content for a significant amount of time, and often logs are available in near real time. That's potentially a lot of people who have legitimate access to view the messages in real time; if any of the points in the message flow have a security issue, your messages are vulnerable. And the message flow is opaque.<p>Sometimes, the over the air part of the messaging isn't well encrypted either, so being in the right place with the right equipment gives you access to the codes, without any insider access.<p>With respect to your idea... If I'm a common person with one phone and no other computing devices, how do I scan the QR code on the screen from the app I want to login to with the app you've provided. Also, when I lose/drop/etc that single device, how do I get my account back? Account recovery that relies on users to take proactive steps tends to be low success. This is the hard part, and where SMS as 2FA tends to do well; account recovery is outsourced to the phone companies of the world.