Does your web service currently support SMS 2-factor codes? Can your users recover their password with an SMS code?
You should seriously consider dropping support for both of these things now!
SIM swap attacks have been known to the hacker world for a while now and with higher profile reporting on them recently, it's possible we'll see a spike in these attacks.
It's very easy to pull off, even for a non-technical attacker. At the very least, ensure users can fully opt out of SMS features.
Social.Rights.Ninja is a small Mastodon instance for those looking for a quiet home-base from which to explore the fediverse. Please email email@example.com for information on getting an invite.