Microsoft urges users to opt out of multi-factor authentication via phone

multi-factor authentication via phone

Microsoft experts have once again raised the issue of the insecurity of multi-factor authentication through the phone, that is, through one-time codes in SMS messages or voice calls. Instead, the company is calling for newer technologies, including authenticator applications and security keys.

This time, the warning comes from the company’s head of identity security, Alex Weinert.

Users who enabled multi-factor authentication (MFA) were protected from 99.9% of automated attacks on their accounts.wrote Alex Weinert last year.

However, Weinert now explains that if a user has a choice between several MFA methods, then in no case should he choose a phone.

The expert says that multi-factor authentication through the phone can depend at least on the state of the telephone networks. Since SMS messages and voice calls are transmitted in the clear, they can be easily intercepted by attackers using methods and tools such as SDR (Software-Defined Radio), FEMTO or various SS7 bugs.

In addition, one-time codes from SMS messages can be extracted using open source and available phishing tools such as Modlishka, CredSniper or Evilginx. Alternatively, employees of mobile operators can be deceived by fraudsters to swap the victim’s SIM card (such attacks are usually called SIM swap), which will allow attackers to obtain one-time MFA codes on behalf of the target.

All this makes SMS and voice call MFAs ‘the least secure MFA method available today.Alex Weinert sums up.

The specialist advises users to use a more powerful multi-factor authentication mechanism, if available, and recommends the Microsoft Authenticator app. And if users only want the best, they should generally use hardware keys that Weinert called the best MFA solution last year.

Let me remind you that the point of view expressed by Weinert is not at all new. Back in 2016, the National Institute of Standards and Technology (NIST) submitted a document according to which the use of SMS messages for two-factor authentication will not be encouraged in the future. The document explicitly states that the use of SMS messages for two-factor authentication will be considered “invalid” and “insecure”.

Let me remind you that Researchers hacked TikTok app via SMS, and I also wrote that Attackers can bypass TikTok multi-factor authentication through the site.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *