It turns out there are no really good ways to authenticate individuals at scale. The answer is not to deride and blacklist arbitrary bad options from the pool, but to add even more factors so that their differing contexts present a more formidable holistic challenge.

Obviously, as GP points out, supporting multiple factors but allowing any one of them to be used in isolation is just building a chain with a weakest link. Better to build a chain-link fence.

SIM swapping is not always the result of social engineering attacks. There are bad actors that work for carriers who will knowingly fraudulently swap sims.

At least with something like Google Authenticator that can be done at scale, someone has to have your physical device and has to get past your hopefully secure pin code/finger print sensor/face id or use rubber hose decryption.

Any attacks on phone numbers are spearphishing, almost my definition. Some form of identity fraud - no matter how easy it is for an attacker - must be performed in phone number stealing. Even if it's very easy, that's a significant cost for an attacker and not an easily scalable attack. I agree that SMS 2FA must never be presented as an effective means to thwart spearphishing, where attackers are willing to put in this effort.

Now in the real world, password reuse attacks are far more common, and an commonly bigger concern for a random online accounts system. SMS 2FA can be of really big help there.