What's the problem with 2FA with SMS? I'm using it and it's good. They send signed SMS with nonce, I'll verify the signature with their public key, and sign it with my private key, then send the signed nonce back. Then the web interface tells me that now I have successfully signed their request nonce XXX, and they'll be forwarding my login token to authority X. So it's not so easy to tamper with properly made mobile SMS 2FA. My phone never receives the actual login token, nor the service X get's it unless I'll also verify the login request in browser. Of course before all this happens, I also would have given preliminary login information like username and password.