It’s better than nothing, but SMS and phone calls are dangerous, it’s too easy to slam a phone number and many phone company’s SMS systems are dangerously vulnerable.
Someday a bank or rich person is going to loose 10 or 100 million dollars, and it’ll be because of this. Because their own tech departments were too slow moving or too penny pinching or too locked into vendor tech or too locked into old code, and couldn’t get around to or justify rsa fobs or open equivalents, not even an on device prompt via an app.
Microsoft’s authenticator app is a good step in the right direction, unfortunately it asks for every permission in the bloody world on your phone, absolutely insane and asinine.
“We need permanent access to your camera and all your pictures just in case you ever want to use a QR code to associate an account with your app”, and on and on. Combine that kind of baloney with the advertising/tracking in the Outlook app and Windows 10? They can take right off. No way in hell I’ll ever let the company force me to use that on a personal phone.
Then reflect on the fact that O365 accounts that don’t use Federation – cannot have passwords more than 12 characters and cannot handle passwords with spaces in them. One guess – what does that tell you?