I'm going through the User Pools setup process and there's the following sentence under the MFA and verifications page:
We recommend not allowing phone to be used for both password resets and multi-factor authentication (MFA).
What's the reason behind that recommendation?
If the password reset and MFA are both sent via SMS, it's not true MFA. You want MFA to be configured on a different channel so an attacker who has your phone or SIM cannot reset your password and get an MFA code.