The US National Institute for Standards and Technology is updating its
Digital Authentication Guideline
Responding to recent cases where SMS-based two-factor authentication
systems were hijacked to rack up charges on premium-rate phone numbers,
it is now saying that sending a text message is no longer good enough.
At least the service sending the messages needs to be sure they are
going to a real mobile phone.
Interestingly, it is posting review documents on GitHub, as an addition
to the usual publication channels.