What are you doing to combat the risks of attacks like SIM-swapping?
Personally I find using phone numbers for this purpose as a cop-out, and like you said it's just a Twilio account away from being defeated. Like captchas it's only a matter of time before that is the baseline capability for bots and you're in no better place than before, except now your users have worsened security.
IMHO the true business incentive for requiring numbers is just getting identity-coupled phone numbers which add significant value to their collection of PII.
Personally I find using phone numbers for this purpose as a cop-out, and like you said it's just a Twilio account away from being defeated. Like captchas it's only a matter of time before that is the baseline capability for bots and you're in no better place than before, except now your users have worsened security.
IMHO the true business incentive for requiring numbers is just getting identity-coupled phone numbers which add significant value to their collection of PII.