I'm sure Dropbox is going to get a lot of flak for this. 2FA based on the provider that they use may not have been cheap. Authy is $0.09 an auth, if you integrate with Twilio, you get SMS charges that vary on price based on country / provider.
The easiest/cheapest solution is to roll your own TOTP and build an app. This is useful for web, but may be pointless on mobile (if the mobile device is unlocked, then you have access to the TOTP app or SMS).
Business people probably looked at the cost per user and couldn't offer it at a lower rate.
You wouldn't need to roll your own app. Just use the Microsoft Authenticator app or the Google Authenticator app, they're the same thing and don't require a direct connection to the user account. Lots of articles on the net on how to accomplish this kind of thing for $0 in extra services.
Isn't 2fa by sms bad though? You hear a new case almost every week of someone whose telco was socially engineered to gain access to their phone number linked 2fa/account recovery.
Bad is relative, it is bad compared to other more secure methods. But if you can't guarantee that your users have a smartphone, SMS is still a needed option.
The easiest/cheapest solution is to roll your own TOTP and build an app. This is useful for web, but may be pointless on mobile (if the mobile device is unlocked, then you have access to the TOTP app or SMS).
Business people probably looked at the cost per user and couldn't offer it at a lower rate.