This is the gist of the latest draft of its Digital Authentication Guideline. At some point, the document says out-of-band verification using SMS is deprecated and will not appear in future releases of NISTs guidance.

For now, NIST says a service still using SMS verification needs to confirm that its sending messages to a mobile number and not a VoIP service.

The body also says users need better protection against having messages hijacked, for example by an attacker persuading the service provider that the number has changed.

The document states that changing the pre-registered telephone number shall not be possible without two-factor authentication at the time of the change.