Doesnt even have to knick your phone, can re-route using SS7, NIST, NCSC et al. have recommended against SMS second factor for an age.
IMHO, the best second factor available at the minute is the OAuth2.0 TOTP.
However why people are still dreaming up passwords i dont know, just plug the rules into your pwd manager hit generate, et voila ... PLus it evades the 5$ wrench method. I dont even know what most of my passwords are!
password size limit is redundant, a hash comes out the same length no matter the input.
forcing types is useless, length trumps complexity. even if its all lower case a 14 char pwd takes longer to brute force than an 8 char alpha num with specials and uppers.
force a minimum of 12 chars, tie this to the pwnedpassword database, and dissalow anything that was breached, or in a sector/site specific common words list, and roberts your parents male sibling