How can an arbitrary number be used to abuse your service? At least for SMS "2FA" you only need to be able to send a message to an number associated with an existing account.
As long as you aren't using SMS as your rate limiting step to aquire an account then then it doesn't matter if someone has 1 phone number or 1000 numbers. In the case that SMS verification is the rate limiting step, why not switch to an open captcha or similir system?
As long as you aren't using SMS as your rate limiting step to aquire an account then then it doesn't matter if someone has 1 phone number or 1000 numbers. In the case that SMS verification is the rate limiting step, why not switch to an open captcha or similir system?