First, to get it out of the way, app-based 2FA is superior in many ways. But we also need to recognize that some 2FA is better than nothing.
I would provide two scenarios: first, you're about to get bankrupt, and second, you want to do it the right way.
1️⃣ In the first scenario, an acceptable answer would be to disable SMS 2FA altogether, clearly communicate why it's happening, and provide an easy migration way.
2️⃣ In the second scenario, I would prefer to have it this way:
- Disable SMS 2FA for new accounts.
- Bug users on SMS 2FA with a popup that push them to migrate to app-based 2FA.
- After a while, lock the remaining users until they enable app-based 2FA.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!