Using only phone number and 2-step verification as login
Is requiring the user to login using phone number and 2-step verification bad design? I have only seen 2-step verification as an EXTRA layer of protection, not a requirement. The only thing similar is a product like Twilo, that sends you a SMS code, but the code never changes and acts as your password.
Can anyone shed some advice on this concept?