NIST.SP.800-63C is a National Institute of Standards and Technology Best Current Practice for Digital Identity Guidelines for Federation and Assertions

NIST.SP.800-63C recommendation and its companion documents, NIST.SP.800-63, NIST.SP.800-63A, and NIST.SP.800-63B, provide technical guidelines to Credential Service Providers for the implementation of remote authentication.

NIST.SP.800-63C includes that SMS Deprecated#

Short Message Service (SMS) should no longer be used in two-factor authentication (2FA).

There are problems with the security of SMS delivery, including:

  • malware that can redirect text messages
  • attacks against the mobile phone network (such as the so-called SS7 hack)
  • Phone Number Portability Exploit
  • Phone ports, also known as SIM swaps, are where your mobile provider issues you a new SIM card to replace one that’s been lost, damaged, stolen or that is the wrong size for your new phone.
In many countries it is unfortunately far too easy for criminals to convince a mobile phone store to transfer someone’s phone number to a new SIM and therefore hijacking all their text messages.

More Information#

There might be more information for this subject on one of the following: