From 7ec45b4e56538d20bd9dd07d11b2f68f675368f2 Mon Sep 17 00:00:00 2001
From: "Mark R. Gamache" <mark.gamache@gmail.com>
Date: Mon, 24 Jun 2024 03:59:13 -0700
Subject: [PATCH] SMS update per issue 1433 (#1435)

* SMS update per issue 1433

* SMS update per issue 1433. with changes per szh
---
 cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md
index 29e9d0de29..b316334aad 100644
--- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md
+++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md
@@ -255,7 +255,7 @@ Smartcards are credit-card size cards with a chip containing a digital certifica
 
 ### SMS Messages and Phone Calls
 
-SMS messages or phone calls can be used to provide users with a single-use code that they must submit as an additional factor.
+SMS messages or phone calls can be used to provide users with a single-use code that they must submit as an additional factor. Due to the risks posed by these methods, they should not be used to protect applications that hold Personally Identifiable Information (PII) or where there is financial risk. e.g. healthcare and banking. [NIST SP 800-63](https://pages.nist.gov/800-63-3/sp800-63b.html) does not allow these factors for applications containing PII.
 
 #### Pros
 
@@ -270,6 +270,8 @@ SMS messages or phone calls can be used to provide users with a single-use code
 - Susceptible to SIM swapping attacks.
 - SMS messages may be received on the same device the user is authenticating from.
 - Susceptible to phishing.
+- SMS may be previewed when the device is locked.
+- SMS may be read by malicious or insecure applications.
 
 ### Email