Multi-factor authentication (MFA) that depends on one of the authentication factors being delivered via SMS and voice calls should be avoided, Alex Weinert, Director of Identity Security at Microsoft, opined.
That’s not to say that MFA should be avoided, though, just that there are safer and more reliable ways to get additional authentication factors.
Why SMS- and voice-based MFA is the least secure option
Last year, Weinert noted that using any form of MFA is better than relying just on a password for security, as it “significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
But the delivery of authentication factors via publicly switched telephone networks (PSTN) is the least secure of the MFA methods available, he thinks, because:
- The SMS and voice formats aren’t adaptable to user experience expectations, technical advances, and attacker behavior in real-time
- PSTN systems are not 100% reliable, meaning the message or call may not come when needed
- Changing regulations may get in the way of SMS delivery and phone calls
- SMSes and phone calls were designed without encryption and can be intercepted (e.g., via software-defined radios, femotcells, SS7 intercept services, mobile malware, phishing tools)
- Support agents at companies operating publicly switched telephone networks can be tricked, bribed or coerced by attackers into providing access to the victims’ SMS or voice channel (e.g., via SIM swapping)
MFA is a must
The value of multi-factor authentication is not in question, but as more and more users adopt it, attackers will try come up with new ways to grab the needed OTP authentication codes.
Weinert advised users to, if possible, switch from SMS- and voice-based MFA to using app-based authentication. Naturally, he endorsed the Microsoft Authenticator app, but there are other apps that serve the same function (such as Google Authenticator, Cisco’s Duo Mobile) and the same protections (encrypted communication, more control, etc.).
There are other MFA options available, and some offer an even greater degree of safety against remote attacks, such as smart cards or security keys – actual physical devices attackers should get their hands on in order to gain access to secured accounts.