Microsoft Urges Users to Stop Using Phone-Based Multi-Factor Authentication
Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via Short Message Service (SMS) and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.
The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft's behalf, urging users to embrace and enable MFA for their online accounts.
In a blog post last year, citing internal Microsoft statistics, Weinert said that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.
But in a follow-up blog post, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from telephone-based MFA.
The Microsoft exec cites several known security issues, not with MFA, but with today's state of the telephone networks.
Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.
SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.
Further, phone network employees can be tricked into transferring phone numbers to a threat actor's SIM card – in attacks known as SIM swapping – allowing attackers to receive MFA one-time codes on behalf of their victims.
On top of these, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.
SMS and voice calls are the least secure MFA method today.
All of these make SMS and call-based MFA "the least secure of the MFA methods available today," according to Weinert.
The Microsoft exec believes that this gap between SMS & voice-based MFA "will only widen" in the future.
As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its extensive adoption.
Weinert says that users should enable a more robust MFA mechanism for their accounts, if available, recommending Microsoft's Authenticator MFA app as a good starting point.
But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.
This preference for app or security key alternatives for MFA shouldn't mean that users should disable SMS or voice-based MFA for their accounts without substituting another MFA approach. SMS MFA is still way better than no MFA at all.