ETech 7 New York

Microsoft: It's Time to Move Away From SMS and Voice-Based MFA

Find me on:

Microsoft urges users to stop using phone-based multi-factor authentication

Last year, we wrote a blog post about a Microsoft cybersecurity report that found users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks. Today, as with anything involving technology, that seems to have changed. Alex Weinert, Microsoft’s Identity Security Director, says it’s now time to move away from SMS and voice MFA security measures. 

 

But first, what is MFA?

 

What is multi-factor authentication?

Multi-factor authentication is an authentication method of putting layers upon layers of security to an account. You, as a user, would have to provide two or more pieces of evidence to ensure that it’s really you that’s logging in - not just some random automated cyberattack. SearchSecurity defines multi-factor authentication as a method that combines two or more credentials: what the user knows (your password) and what the user has (security token) and what the user is (biometric verification).

 

While some MFA is still better than no MFA, Weinert says, “These mechanisms [SMS and voice] are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.”

 

The Microsoft exec also cites several known security issues such as SMS and voice formats not being adaptable. This means that opportunities for security innovations in usability are limited, to say the least. However, Weinert makes it clear that the problem does NOT lie in the practice of using MFA per se. He says he is simply discussing which MFA method to use, not whether to use MFA.

 

Primarily designed without encryption

Another important security issue surrounding phone-based MFA is that SMS and voice protocols were designed without encryption. Weinert says that both SMS and voice calls are transmitted in clear text which can be easily intercepted by determined attackers. An attacker can simply deploy a software-defined-radio to intercept messages, or a nearby FEMTO, or use an SS7 intercept service to eavesdrop on the phone traffic.

 

“It’s also worth noting that most PSTN systems are backed by online accounts and rich customer support infrastructure. Sadly, customer support agents are vulnerable to charm, coercion, bribery, or extortion. If these social engineering efforts succeed, customer support can provide access to the SMS or voice channel. While social engineering attacks impact email systems as well, the major email systems (e.g. Outlook, Gmail) have a more developed “muscle” for preventing account compromise via their support ecosystems. This leads to everything from message intercept, to call forwarding attacks, to SIM jacking,” adds Weinert.

 

So what does this mean for the future of MFA?

Again, some MFA is still better than no MFA. While Weinert warns that SMS and voice MFA are the least secure forms of MFA nowadays, it’s still better than having no MFA at all. In the future, expect the security gap for SMS and voice-based MFA to widen with more and more attackers interested in breaking MFA methods. 

 

The answer? App-based authentication.

The way app-based authenticators work is it grabs codes for your email or social accounts by snapping a QR code. Once the QR code has been read, the app-based authenticator will start generating codes and the service will typically ask you to input the current one to verify that you are the person accessing your account. Some of the most popular examples of app-based authenticators are Microsoft Authenticator and Google Authenticator. 

 

Are you wondering what else you can do to strengthen your cybersecurity measures? Here are some of the questions you could ask yourself about your online security:

 


Nothing better than having peace of mind, right? The only way to achieve that is to make sure that you are doing everything you can to secure your stuff. After all, no one wants to get their data stolen, right?

Andro Yuson

Business Growth & Automation

Welcome to ETech 7's blog. Here you can find the latest news, advice, and tips on scaling and automating a business by leveraging the power of information technology.
NEED IT
SUPPORT?
FREE CONSULTATION

Speak With An Expert!

Schedule a Meeting