Microsoft urges users to abandon phone-based multi-factor authentication (MFA) solutions, such as one-time codes sent via SMS and voice calls, and should be replaced with newer MFA technologies, such as app-based authenticators and security Key.
The warning comes from Alex Weinert, director of identity security at Microsoft. In the past year, Weinert has been advocating on behalf of Microsoft, urging users to accept and enable MFA online accounts.
Citing Microsoft internal statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) ultimately prevented approximately 99.9% of automated attacks on their Microsoft accounts.
However, Weinert said in a follow-up blog today that if users have to choose between multiple MFA solutions, they should stay away from phone-based MFA.
Microsoft executives cited several known security issues, not MFA, but the state of today̵
Weinert said both SMS and voice calls are transmitted in clear text and can be easily intercepted by identified attackers using software-defined radio, FEMTO cell or SS7 interception services and other technologies and tools.
SMS-based disposable codes can also be phished through open source codes and phishing tools (such as Modlishka, CredSniper or Evilginx).
In addition, telephone network employees may be tricked into transferring the phone number to the threat actor’s SIM card (in an attack called SIM swap), allowing the attacker to receive MFA one-time codes on behalf of the victim.
Most importantly, the telephone network is also facing changing regulations, downtime and performance issues, all of which affect the overall availability of the MFA mechanism, thereby preventing users from authenticating through their accounts in times of emergency.
SMS and voice calls are the least secure MFA methods available today
All of this makes SMS and call-based MFA “the least secure method of MFA methods available today.”
Microsoft executives believe that the gap between SMS and voice-based MFA will only “widen” in the future.
With the overall increase in the adoption of MFA, as more and more users adopt MFA as their accounts, attackers will also become more interested in breaking through the MFA method. As SMS and voice-based MFA are widely adopted, they will naturally become Its main goal.
Weinert said that users should enable a stronger MFA mechanism (if any) for their account, and recommends that you use Microsoft’s Authenticator MFA app as a good starting point.
However, if users want the best, they should use a hardware security key, which Weinert listed as the best MFA solution in his blog post last year.
PS: This does not mean that users should disable SMS or voice-based MFA for their accounts. SMS MFA is still better than no MFA.