I've often wondered if companies prefer SMS over TOTP for multi-factor authentication because it provides them with a reliable phone number for each customer.
At least one company promised that phone numbers will be used only for authentication, but was caught using them for marketing (which is exactly why I don't trust most companies with my phone number in the first place).
At least one company promised that phone numbers will be used only for authentication, but was caught using them for marketing (which is exactly why I don't trust most companies with my phone number in the first place).