NIST Publication on SMS two-factor authentication

Here are two links to articles discussing the NIST and their discouraging of SMS use for multi-factor authentication. The special publication by NIST actually says

If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”

https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/

 

https://www.engadget.com/2016/07/29/sms-two-factor-authentication-isn-t-being-banned/

Networking Security and Compliance two factor authentication SMS