@tao right but the problem is that by forcing users to do 2FA by SMS, you force them to have a mobile phone and thus force them to be vulnerable to this attack (certainly if in Europe, and Americans who choose GSM over CDMA are vulnerable)
.