I found this story just now in response to searching for the subject in Medium. I was prompted to search after noticing that 2FA has become compulsory on many platforms, very recently, seemingly all simultaneously.

Now, we are being denied access, if we do not agree to enable 2FA.

I am being denied access, from communicating with my remote nearest and dearest, until I agree to 2FA.

Why?

Are they trying to pretend they care about us now?

2FA makes sense under certain circumstances, but logically not in the case where it is compulsory.

For it to be effective, each measure must be independently secure. It should not be that we can break one or the other to defeat both.

But, as you pointed out, the phone is not secure, it is easily spoofed, there are many ways of doing that besides the one you identified, and once done, it can be easily used to override the security of the password.

Taking ownership of our phone, with 2FA set up, is all that is needed in practice, to take ownership of our identity.

Personally I don't like that at all. I would rather just depend on my ability to keep my passwords safe, but I am not being given the choice.

The reason they insist is sinister, no matter how we look at it.

It might be just to get our phone numbers, for direct marketing purposes, that is valuable data which will always fetch a price.

But more sinisterly, we are at their mercy.

Do businesses take advantage of those they have at their mercy?

I dunno, you tell me.