The big benefit of SMS for the website is that it outsources the problem of lost 2FA tokens. What happens if the user loses a yubikey. Or changes phones and did not back up their TOTP. With SMS authentication, even if the user loses a phone, they can go down to the local cell phone store and get a new phone on their number and be back in business without the website having to get involved.
Joking aside, I've moved almost every 2FA to hard token, soft-token, or google voice. But the root of trust is still LastPass & Google. I don't see an easy way out of dependency other than power of attorney. Even worse: I worry what happens to my protected assets as I age and possibly face memory loss.
Bad idea: google will disable your google voice after some time of not logging in.
I got bitten in a bad way!
Hopefully twilio will start creating "recognized" numbers someday, as my twilio number is unusable for TOTP. There seems to be a blacklist of all twilio voip numbers.
I read an article here some time ago that banks take no responsibility if they lose/destroy the contents of their boxes as someone learnt the hard way with precious family possessions.
github & gitlab require you to register a TOTP authenticator app before you can enable U2F (presumably to avoid manual resets, although they don't say)
google's enhanced protection requires you to have 2 distinct yubikeys to sign up
