Microsoft advise to stop using phone based multi-factor authentication

Microsoft is advise users to abandon phone based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.

The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft’s behalf, urging users to embrace and enable MFA for their online accounts.

Citing internal Microsoft statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.

But in a follow-up blog post today, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from phone based MFA.

The Microsoft exec cites several known security issues, not with MFA, but with the state of the phone networks today.

SMS-based one-time codes (OTP) are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

Further, phone network employees can be tricked into transferring phone numbers to a threat actor’s SIM card in attacks known as SIM swapping, allowing attackers to receive MFA one-time codes on behalf of their victims.

On top of these, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.

SMS and voice calls are the least secure MFA method today

All of these make SMS and call-based MFA “the least secure of the MFA methods available today,” according to Weinert.

The Microsoft exec believes that this gap between SMS & voice-based MFA “will only widen” in the future.

As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its large adoption.

Weinert says that users should enable a stronger MFA mechanism for their accounts, if available, recommending Microsoft’s Authenticator MFA app as a good starting point.

You might also like More from author

Comments are closed.