According to CNET, in the latest "Draft of Digital Identity Certification Guidelines," the National Institute of Standards and Technology (NIST), which must comply with its specifications for certification software, stated that it will abandon the use of SMS-based two-factor authentication.
The so-called two-factor verification of SMS messages refers to the password you get through SMS messages plus the mobile phone you have—these two elements are combined to work together. For example, when using Gmail, you need to get the password of the SMS, enter the SMS interface, and then enter Gmail's login interface to complete the verification.
Due to the unreliability of the SMS system, the user's mobile phone number is most likely not used by the owner, SMS messages may be hijacked by the VoIP service, and other unsafe factors. NIST plans to get rid of the two-factor authentication based on SMS messages.
NIST said that from now on, services that are still using SMS authentication need to confirm whether the message is sent to a mobile phone number instead of a VoIP service.
The draft also said that users need to better protect their own messages in order to avoid being hijacked. For example, an attacker may tell the service provider that the mobile phone number has been changed to hijack the user's message. The draft states that "in the absence of two-factor authentication, the previously registered phone number must not be changed. If the user is using the SMS provided by the public mobile phone network as an out-of-band authentication, the verifier must verify that the pre-registered mobile phone number is based on Mobile network instead of VoIP before sending short messages to pre-registered mobile numbers. At the same time, two-factor authentication is required to modify pre-registered mobile numbers. SMS is not recommended for out-of-band authentication, and future versions of this guide will no longer be available. Allow this method."
Via Cnet