It's better than not having it at all, I would think.

That depends. If you're a sufficiently valuable target, it's actively worse, because it creates a false sense of security.

I disagree that it's worse. I have SMS on some of my accounts.

I am aware of the risks, but it's inherently better than nothing at all.

I have yet to see how SMS / Mobile Phone account can be hijacked in places where getting a new SIM card requires some form of ID. So SMS being unsafe for 2FA is mostly (?) a problem in US and some part of EU.

Does this explain it well enough? https://arstechnica.com/information-technology/2017/05/thiev...

If I know your phone number I can get your 2fa code. It a security HOLE.

Instagram accounts get swiped all the time. There is a vibrant account trading economy on IG, and there are no reassurances that the account won't get swiped back.

Facebook knows how to do to 2fa without SMS, but they want everyone's phone numbers and social graph too much.

Account trading lives in the shadows and it won't have a favorable public view, therefore the problems inherent to the platform itself don't get attention right now.

Putting Facebook on blast is the way to change this.

the only reason its not worse is because nobody's leaked a phone number database yet with accuracy regarding who is using it for 2fa. Currently strangers can't look at a list of phone numbers and tell if they are used with Instagram or Facebook and if that account is even valuable, quickly.

just security through obscurity.