NIST doesn't make clear why it's deprecating SMS two-factor, but there are a few reasons that make sense. Most phones display text messages on their lock screen, meaning a would-be attacker would be able to authenticate just by looking at your phone. There are also considerable flaws in signalling protocols that make SMS more vulnerable than other methods.

NIST's guidelines aren't legally binding, but other government agencies stick by them, and the industry at large will follow. So what's the alternative to SMS? There are plenty. The most prevalent are dedicated applications that deliver a two-factor code that refreshes every 30 seconds. Google Authenticator, Authy, Duo and other apps all essentially do the same thing with slight differences in presentation and execution. If you work for a large company, you might have used hardware that works on a similar principle, such as RSA SecurID dongles.

There are still plenty of sites and services that only offer SMS-based authentication, while others such as Facebook support both app- and SMS-based methods. And, of course, there are inexplicably some services with no protection at all. Instagram is one such outlier -- it's been slowly bringing two-factor to its userbase this year, but at the time of writing has yet to complete that roll out.