In my blog Your Pa$$word doesn't matter, I laid out the key password vulnerabilities, and in response to a gazillion “but other creds can be compromised, too” DMs and emails, I wrote All our creds ar...
Updated Nov 10, 2020
Version 1.0
Blog Post
I understand all your points, but there are some situations--that involve a LOT of people--where a telephone call is the ONLY way to verify MFA. Specifically, there are a military, civilian, and contractors that work in Sensitive Compartmented Information Facility (SCIF) that is used to process classified information. Cell phones are strictly forbidden. If you're lucky, they have a containers for cell phones outside the SCIF. But trying to verify with other than a phone call (since it's right on the desk) is nearly impossible. DoD rules require you to lock your workstation if you leave it. So to try to use an app is cumbersome at best, because once the the request hits the screen, you have to lock your workstation, wait for the CAC reader to finish writing to the CAC, remove your CAC (because that's also a requirement), run out of the SCIF, and hope you're in time to hit approve on the app. If you're trying to use the pseudo-random generated code. The time is even longer. Because now I have to badge into the SCIF, run to my computer, put my CAC in the reader, log into the system and hope that I'm in time again.
Given that the phone systems and phone lines are run through a military base and likely a switch, it's much more secure than you're usual landline.
Again, I get the emphasis on moving away from phone and text MFA, but there ARE situations where it's not only appropriate, but necessary!