On one hand, SMS is not free. On the other hand, maintaining a short code is like $3000 quarterly last time I had it quoted, and you're looking at $0.003 for outbound text messages and $0.0009 for inbound. You'd also have to maintain a block list to remain compliant with FCC regulations, though doing the service as opt-in only may get you around that a bit.

Now let's do some napkin math. If the 450,000,000 active users perform a login once a month that triggers second factor, you'd take that $0.003 and multiply it by the total active users. That gives us $1,350,000 in outbound SMS fees. That is... actually quite a bit more money than I expected.