SMS is not 2FA

Assuming the other factor is "What you know"

What is 2FA?

2FA or Two-Factor Authentication is a security measure that requires the user to successfully pass two different authentication factors to be granted access.

The most commonly used authentication factors online are:

What you KNOW

This authentication factor will test that the user KNOWS a piece of information.

In other words, to successfully pass the validation, all you need is information.

Examples: passwords, personal information

What you HAVE

This authentication factor will test that the user HAS something.

In other words, to successfully pass the validation you have to prove you are in possession of something.

This means that, in contrast to a "What you KNOW" factor, no amount of information in the world is enough to bypass this factor if you don't physically have access to the object to which this factor relies upon.

Examples: hardware security keys (Yubico YubiKey, Feitian), passkeys, a passport, a Time-based One-Time Password (TOTP) generator.

Note: TOTP can, arguably, be considered What you KNOW, because when using a TOTP app the user must input a secret into the app. If this secret is intercepted or if the user saves it, the "HAVING" factor is compromised.

Why isn't SMS considered 2FA?

The most common use case of SMS as an authentication step is to combine it with a login and password (What you KNOW), followed by a code received via SMS.

This leads many people to believe that SMS falls under something you "HAVE", after all you need to physically have the SIM card, or the phone with an eSIM, to connect to the GSM network and receive the SMS.

However this is not true. An attacker, with sufficient knowledge about the victim, might very well be able to impersonate such a victim in a call to their phone carrier and convince them to enable the victim's number on a new SIM card controlled by the attacker.

Another well-known possibility is when the attacker either works for the carrier or corrupts some of their employees to activate arbitrary numbers on request, without the need to impersonate their victims.

All of this is done without ever being in contact with the victim or their belongings and, therefore, it can't possibly be considered a "What you HAVE" factor since at no point the victim lost sight of their belongings.