Not long ago we republished a story from iMasters which spoke about the insecurity of two-step authentication, especially when delivered by SMS. Showing that the topic deserves a reassessment, the United States National Institute for Fathers and Technology (US National Institute for Standards and Technology) is drafting new guidelines for online authentication and preparing to get rid of the confirmation codes delivered by the short message service.
As reported by CNET, SMS verification is relatively insecure for a few simple reasons: the phone in question may not be in the hands of its owner, the message may be intercepted / hijacked by a Voice over IP (VoIP) service, among other things. Thus, the idea is that SMS be replaced by safer and more modern methods, being summarily banned from the institute's guidelines.
Some current methods, however, can continue to be used, such as the delivery of the message by a secure application (which requires some type of authentication), by biometric confirmation (al, Touch ID!), Among others.
Currently, Apple uses SMS as a way of delivering verification codes for both two-step verification and two-factor authentication. It is true that the user can also receive the codes for the notifications pushBut if this institute's guidance downgrades SMS to something unreliable (and it looks like it will be), Apple will most likely make changes to its security systems.