Description
https://firebase.google.com/docs/auth/flutter/multi-factor needs a warning that SMS-based MFA should not be used.
All industry leaders as well as the CISA (Cybersecurity and Infrastructure Security Agency) recommend migrating away from SMS-based MFA. See the CISA memo from Dec 24: https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf
Migrate away from Short Message Service (SMS)-based MFA. Do not use SMS as a second factor for
authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication
provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant
and is therefore not strong authentication for accounts of highly targeted individuals
Also see this document by Google: https://cloud.google.com/solutions/modern-password-security-for-system-designers.pdf which states:
Avoid the use of SMS-based MFA. SMS is an insecure technology that is easy to compromise or spoof with
no authentication mechanism or eavesdropping protection. Messages can be hijacked by a malicious app,
or a malicious actor could intercept the message by spoofing the device or by using social engineering to
transfer service to a device they control.