[thepratt]

I'm surprised they're putting SMS 2fa in now. In 2016 the NIST released new guidelines that essentially "banned" SMS 2fa use. It's heavily suggested that US banks follow NIST guidelines, I'm unsure if there's any actual legal requirement for them to.

You could always send the portion of the guidelines to as many credit union people as possible. Someone may bite.

[TrapLord_Rhodo]

nist is all about internal controls. It says nothing about dictating controls on your users.

[thepratt]

That's not entirely correct. The main purpose is how US federal agencies handle stuff such as digital identities, this includes all digital identities - employees and citizens/other. Private institutions can use it as guidance for whatever purpose. You can find this information in the abstract of revisions https://pages.nist.gov/800-63-3/sp800-63-3.html