In late July 2016, SMS was formally declared undesirable and not recommended by National Institute of Standards and Technology (NIST). While not enough time has passed to draw a definitive conclusion, it appears Duo SMS-based authentications have not declined significantly despite this declaration. It’s encouraging, however, that Duo Push (a more user-friendly and secure method) has been consistently increasing in use. Duo also encourages U2F as more services begin to support it as a secondary authentication method.
When I read about the NIST recommendation on SMS in late July, I contacted DUO to make sure they were aware, and then removed SMS authentication as an option for our 500+ DUO users.