The National Institute of Standards and Technology has just published guidance that out of band verification using SMS is being deprecated and will explicitly forbidden in future releases of guidance.
Attempts were made to influence NIST to soften their stance on SMS. They were rejected:
nntr - just wanted the thread current if we revisit in the future.