SMS-based two-factor authentication is vulnerable to SIM swapping

SS7 protocol vulnerabilities and social engineering attacks on carriers allow attackers to port a phone number without physical access to the device. NIST SP 800-63B (2017) deprecated SMS as an authentication factor. Recommended alternatives: TOTP authenticator apps (RFC 6238) or FIDO2 hardware security keys which require physical possession and are phishing-resistant.