Last year, we wrote a blog post about a Microsoft cybersecurity report that found users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks. Today, as with anything involving technology, that seems to have changed. Alex Weinert, Microsoft’s Identity Security Director, says it’s now time to move away from SMS and voice MFA security measures.
But first, what is MFA?
What is multi-factor authentication?
Multi-factor authentication is an authentication method of putting layers upon layers of security to an account. You, as a user, would have to provide two or more pieces of evidence to ensure that it’s really you that’s logging in - not just some random automated cyberattack. SearchSecurity defines multi-factor authentication as a method that combines two or more credentials: what the user knows (your password) and what the user has (security token) and what the user is (biometric verification).
While some MFA is still better than no MFA, Weinert says, “These mechanisms [SMS and voice] are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.”
The Microsoft exec also cites several known security issues such as SMS and voice formats not being adaptable. This means that opportunities for security innovations in usability are limited, to say the least. However, Weinert makes it clear that the problem does NOT lie in the practice of using MFA per se. He says he is simply discussing which MFA method to use, not whether to use MFA.
Primarily designed without encryption
Another important security issue surrounding phone-based MFA is that SMS and voice protocols were designed without encryption. Weinert says that both SMS and voice calls are transmitted in clear text which can be easily intercepted by determined attackers. An attacker can simply deploy a software-defined-radio to intercept messages, or a nearby FEMTO, or use an SS7 intercept service to eavesdrop on the phone traffic.
“It’s also worth noting that most PSTN systems are backed by online accounts and rich customer support infrastructure. Sadly, customer support agents are vulnerable to charm, coercion, bribery, or extortion. If these social engineering efforts succeed, customer support can provide access to the SMS or voice channel. While social engineering attacks impact email systems as well, the major email systems (e.g. Outlook, Gmail) have a more developed “muscle” for preventing account compromise via their support ecosystems. This leads to everything from message intercept, to call forwarding attacks, to SIM jacking,” adds Weinert.
So what does this mean for the future of MFA?
Again, some MFA is still better than no MFA. While Weinert warns that SMS and voice MFA are the least secure forms of MFA nowadays, it’s still better than having no MFA at all. In the future, expect the security gap for SMS and voice-based MFA to widen with more and more attackers interested in breaking MFA methods.
The answer? App-based authentication.
The way app-based authenticators work is it grabs codes for your email or social accounts by snapping a QR code. Once the QR code has been read, the app-based authenticator will start generating codes and the service will typically ask you to input the current one to verify that you are the person accessing your account. Some of the most popular examples of app-based authenticators are Microsoft Authenticator and Google Authenticator.
Are you wondering what else you can do to strengthen your cybersecurity measures? Here are some of the questions you could ask yourself about your online security:
- Are your passwords secure? Here's a refresher on how to come up with strong passwords.
- Do you need an antivirus software? Should you choose a free or paid option? Here's a refresher on the best free and paid antivirus software depending on what you need.
- Are you still using Windows 7? Here's why that's a bad idea.
- Using Microsoft Office 365? Be wary of phishing campaigns.
- And last but not least, PLEASE use MFA. If you're wondering what MFA is, here's a quick guide.
Nothing better than having peace of mind, right? The only way to achieve that is to make sure that you are doing everything you can to secure your stuff. After all, no one wants to get their data stolen, right?