The National Institute for Standards and Technology (NIST) has released a Digital Authentication Guideline draft proposing that all services abandon SMS-based two-factor authentication and use tokens and software cryptographic authenticators.
Because messages can be redirected to a VoIP service and not an actual mobile number, NIST believes SMS-enabled two-factor authentication is vulnerable to attacks. A true out-of-band authentication system should not depend on the ability to receive messages (email or instant messages), as somebody other than the owner may have the device.
