Why not just support both? As a savvy user I can choose SMS-only without ever letting Google anywhere near my shared secret.
Or I can implement or build from source a TFA app I trust and use that.
I really hate sites that support TFA and don't support authentication apps as I have very poor phone service at both my home and place of work and hence SMS is a frustrating experience for me.
Wait - I was disagreeing with the GP's assertion that SMS-only was a good idea, so I think we very much agree. Maybe you meant to respond to my parent post?
IMO a shared-secret OTP app is certainly not unbreakable but is more secure than SMS.
SMS is known to be easily subpoenaed and universally stored while believing in a widespread OTP app trojan-horse requires some form of tinfoil-hattery. Both are still orders of magnitude more secure than single-factor authentication anyway and hence I believe both should be included in a reasonable 2-factor authentication solution.
Personally I can't adopt an SMS-only 2-factor solution due to service issues anyway.
Or I can implement or build from source a TFA app I trust and use that.
I really hate sites that support TFA and don't support authentication apps as I have very poor phone service at both my home and place of work and hence SMS is a frustrating experience for me.