Final answer:
NIST SP 800-63-3 advises against out-of-band verification using SMS or voice calls due to vulnerabilities including password reuse, redirection of VoIP calls, and potential interception by attackers.
Step-by-step explanation:
NIST SP 800-63-3 recommends that out-of-band verification using SMS or voice calls be deprecated. This method has been found to be less secure because of several reasons. Firstly, the use of VoIP services for receiving SMS or voice calls makes it possible for hackers to redirect these messages or calls to their own devices. By doing so, they can gain unauthorized access to accounts using credential stuffing or password reset attacks which rely on such SMS or voice call verifications. Furthermore, password reuse is a common issue that compromises the integrity of this verification method since the same password might be used across multiple services, making it more vulnerable to being compromised in one of them. Additionally, it is relatively easier for attackers with the correct equipment to intercept SMS or voice calls, which could lead to significant security breaches. This is why alternative methods for verifying identity, such as using app-based or hardware token authenticators, are now seen as more secure and are being adopted widely.