Thanks to Richard van Arnholt for pointing out to me that
NIST now states that if authentication is used via sms (out-of-band), ‘the verifier SHALL verify that the pre-registered telephone number being used is associated with a specific physical device. […] Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.’
xxx
Snippings 