Ride the Lightning

Microsoft: Stop Using Phone-Based Multifactor-Authentication!

November 16, 2020

On November 12, ZDNet reported that Microsoft is urging users to stop using telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.

While robust passwords go a long way securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

The warning came from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft's behalf, urging users to embrace and enable MFA for their online accounts.

Based on internal Microsoft statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.

In a follow-up recent blog post, Weinert says that if users have to choose between multiple MFA solutions, they should avoid telephone-based MFA.

Weinert says that both SMS and voice calls are transmitted in clear text and can be easily intercepted by attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.

SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

Also, phone network employees can be tricked into transferring phone numbers to a threat actor's SIM card, in attacks known as SIM swapping, allowing attackers to receive MFA one-time codes on behalf of their victims.

Finally, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which potentially impact the availability of the MFA mechanism, which could prevent users from authenticating to their account.

The end result is that SMS and call-based MFA are "the least secure of the MFA methods available today," according to Weinert.

As MFA adoption increases overall, attackers will focus on breaking MFA, with SMS and voice-based MFA becoming their primary target due to their large usage.

Weinert says that users should enable a stronger MFA mechanism for their accounts, if available, recommending Microsoft's Authenticator MFA app as a good starting point.

But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.

John and I agree with all of this. However, SMS or voice-based MFA are still far better than no MFA!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson