Do not use SMS for password reset
Some institutions use SMS as a communication channel to the user to perform password reset.
For example, an IdP which knows a user’s mobile phone number can send that user an SMS text message with a new password when the user (through some self-service portal) indicates that he or she forgot the original password. This would degrade the security of the whole to just single factor authentication.
Please note that a second authentication factor like SMS should never be used for password reset in situations where it is also used for additional identity assurance in the context of SURFconext Strong Authentication.