Exam SY0-601 topic 1 question 597 discussion

SMS (Short Message Service) authentication involves sending a one-time passcode (OTP) to the user's mobile phone via text message, which the user then enters to complete the authentication process. While it is more convenient than some other methods, it is also less secure compared to the other options listed. SMS authentication has several security weaknesses: Phishing: Attackers can use social engineering to trick users into revealing their SMS OTP, compromising the authentication. SIM swapping: Attackers can contact the user's mobile service provider and convince them to transfer the phone number to a new SIM card, gaining access to the SMS OTP. Intercepting SMS: In some cases, attackers with advanced capabilities can intercept SMS messages, allowing them to capture the OTP. Due to these vulnerabilities, SMS authentication is considered less secure compared to other authentication methods like TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password), which rely on algorithms and do not involve transmitting the OTP via SMS.

NIST SP-800-63B points out several vulnerabilities with SMS for two-step authentication and discourages its use. Normally, mobile devices display SMS text on the screen when it arrives. If someone stole the mobile device, he would see the PIN without logging on to the mobile device." -Security+ SY0-601 Get Certified Get Ahead by Darril Gibson

SMS and Token keys are examples of TOTP (Time based One TIme Password) and TOTP is considered more secured than HOTP. I choose C.