NIST Deprecates SMS 2FA
While you were sleeping, NIST has released their latest public draft of SP 800-63 on GitHub.
Among the changes is this comment regarding SMS messages as an Out of Band (OOB) token for 2 Factor Authentication.
From SP 800-63B Section 126.96.36.199
Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.
So if you are using SMS as an OOB 2FA it may be time to consider moving to x509, TOTP, or some other factor.
About the author
Brooks Garrett is a dedicated technologist who specializes in information security. Brooks has spent over 10 years implementing security programs for both the public and private sector including some of the biggest names in the Fortune 500. When he's not managing risk in the corporate environment you can find him at the local firestation where he is a volunteer firefighter.