Hi Denis,

>>I send SMS with 6 digit code.
>>In the enterprise it's established that the users will have to apply a change to the code before entering it in in a textbox.
>>So for example if the code I send is "348825" user knows that the changes necessary are "++--45"
>>...

Security firms and even Microsoft has started recommending against SMS because there are quite a few demonstrated hacks- e.g. https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber but also SS7 exploits that can be undetectable, supply chain attacks... the list goes on.

It's also a problem that many devices preview incoming sms on the lock screen, so a txted code may be briefly visible even if the phone is locked. Your additional transformation will certainly confound an external hacker, but any current or ex-employee must know the transformation so that ongoing obscurity isn't certain.

Check my 2fA post today: Message #01685145 . It describes a TOTP 2FA that doesn't need cellphone numbers or email addresses, instead a validation code that changes every 30 seconds and never gets transmitted off its device, so can't be intercepted or diverted.

Since you've already got the 6-digit validation code entry for your current system, you could easily make this an option#2 for customers that a) is free, b) doesn't require list maintenance of user cellphone numbers and c) doesn't rely on mobile or internet access for the paired device.