Lost phone/room/passed out roaming (or do not) - let's goodbye.
As practice shows - this is not a problem.
Phone number to recover much easier than the stolen mail.
I see several other problems:
1) the cost of sending SMS. Authorization this is a fairly frequent event in the General case, SMS will have to send a lot.
2) Users are wary of the idea of bringing to sites that either come via SMS, all of these stories with subscriptions what is taught still.
3) Long authorization process. Until SMS comes while the user will rewrite the code. If such conditions will be on any normal site I as a user would spit and walked away.
In General, I see no reason why authorisation should be done through a one-time code.
If an application with higher requirements for security - you need to use the login password, and the nonce (because the phone can steal and log in)
If the application is regular - it is better to use a login phone number and password, and SMS to use to recover the password or send the password when you register.PS
authorized, the ip listed in the database came from the same machine is authorized, no new code sent
It is better to put the cookie and check for its presence, additionally checking the IP if the cookie is.UPD
, : confirm any critical action SMS with one-time code - a long time ago the standard in the banking industry and gradually penetrates into the other. Two-factor authentication (for the user in critical cases, and force - critical) password recovery is a great case for SMS.
In fact we have no way otherwise to validate the user.
Or app on ios with biometrics or one-time SMS.
If you select normal operator - a phone number is the only method of communication with the user that the user cannot unknowingly lose for a long time.