Two-factor authentication adds an extra layer of security to your logins by asking for a verification code after you sign in with your credentials. But not every method for retrieving this verification code is secure in itself. To that end the National Institute for Standards and Technology, the US agency that sets guidelines and rules in cryptography and security matters, has proposed to deprecate SMS-based and will no longer allow it in future guidelines.

The current draft mentions a few reasons why NIST considers text messaging is not sufficiently secure anymore. One of the reasons says that as VoIP communication services have proliferated it’s become harder to assess whether an SMS message is truly being sent over the cell network and not a service that virtualizes phone numbers.

There’s also the concern that hackers find more and more ways to remotely access, intercept or redirect SMS texts. As a result out of band verification using SMS is deprecated, and will no longer be allowed in future releases of their guidance.

The alternative is to use a dedicated 2FA app like Google Authenticator or RSA SecurID that can generate out of band authentication codes, or a dedicated device such as security keys, smart cards, and so on. NIST also mentions "limited use" of biometrics as a way for users to gain access to their second layer of authentication.