Most large banks already largely offer non-SMS 2FA through their companion mobile apps. This is about pretty much every other service you have that does not have a dedicated mobile app and doesn't want to teach their users how to manage your 2FA codes.
The problem with the above statement is that merely “offering” a better option doesn’t solve the issue. The mere presence of SMS as one option gives the same risk as if it were SMS- only. An attacker can choose the sms option (after slipping $100 or even just a fake ID to the teen at the phone store to sim-swap you) even if you never would use it. It needs to be at minimum able to be permanently disabled on demand.
I suppose, but in practice nearly all systems I’ve seen allow the attacker to opt for SMS, on demand, unless you’ve been allowed to not put in a phone number on file. Which is not always the case.
