searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
November 12, 2020
Share

Microsoft advises users to stop using SMS- and voice-based MFA

Multi-factor authentication (MFA) that depends on one of the authentication factors being delivered via SMS and voice calls should be avoided, Alex Weinert, Director of Identity Security at Microsoft, opined.

SMS voice MFA

That’s not to say that MFA should be avoided, though, just that there are safer and more reliable ways to get additional authentication factors.

Why SMS- and voice-based MFA is the least secure option

Last year, Weinert noted that using any form of MFA is better than relying just on a password for security, as it “significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”

But the delivery of authentication factors via publicly switched telephone networks (PSTN) is the least secure of the MFA methods available, he thinks, because:

  • The SMS and voice formats aren’t adaptable to user experience expectations, technical advances, and attacker behavior in real-time
  • PSTN systems are not 100% reliable, meaning the message or call may not come when needed
  • Changing regulations may get in the way of SMS delivery and phone calls
  • SMSes and phone calls were designed without encryption and can be intercepted (e.g., via software-defined radios, femotcells, SS7 intercept services, mobile malware, phishing tools)
  • Support agents at companies operating publicly switched telephone networks can be tricked, bribed or coerced by attackers into providing access to the victims’ SMS or voice channel (e.g., via SIM swapping)

MFA is a must

The value of multi-factor authentication is not in question, but as more and more users adopt it, attackers will try come up with new ways to grab the needed OTP authentication codes.

Weinert advised users to, if possible, switch from SMS- and voice-based MFA to using app-based authentication. Naturally, he endorsed the Microsoft Authenticator app, but there are other apps that serve the same function (such as Google Authenticator, Cisco’s Duo Mobile) and the same protections (encrypted communication, more control, etc.).

There are other MFA options available, and some offer an even greater degree of safety against remote attacks, such as smart cards or security keys – actual physical devices attackers should get their hands on in order to gain access to secured accounts.

More about
  • account protection
  • authentication
  • CISO
  • cybersecurity
  • MFA
  • Microsoft
  • opinion
  • strategy
  • tips
Share this

Featured news

  • Detecting face morphing: A simple guide to countering complex identity fraud
  • How to best allocate IT and cybersecurity budgets in 2023
  • Samsung, Vivo, Google phones open to remote compromise without user interaction
How to protect online privacy in the age of pixel trackers

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

How to protect online privacy in the age of pixel trackers

Detecting face morphing: A simple guide to countering complex identity fraud

How to best allocate IT and cybersecurity budgets in 2023

Samsung, Vivo, Google phones open to remote compromise without user interaction

SVB account holders targeted with phishing, scams

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us