Microsoft: Stop Using SMS for MFA

Posted on November 11, 2020 by Paul Thurrott in Cloud, Mobile with 26 Comments

Google Reveals Another Microsoft Vulnerability Before Its Fixed

Microsoft this week made the case for moving away from SMS-based authentication in Multi-Factor Authentication (MFA) schemes, citing its insecurity.

“It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms,” Microsoft’s Alex Weinert writes. “These mechanisms are based on publicly-switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong [authentication] now – the authenticator app provides an immediate and evolving option.”

As I wrote years ago, 2FA/MFA is essential, and Weinert—an actual security expert—agrees: He says that MFA is the least you can do if you are at all serious about protecting your accounts. Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1 percent of the general population.

At the time of that article linked above, I recommended using an authenticator smartphone app, like Microsoft Authenticator, noting that text messaging (SMS)-based authentication was “falling out of favor.” Here, too, Weinert agrees, but he has data that should convince any holdouts.

SMS-based authentication, he says, is transmitted in the clear, meaning that it can’t be encrypted and “can be intercepted by anyone who can get access to the switching network or within the radio range of a device.” They are easy to socially engineer, enabling an SMS form of a phishing attack in which users can unknowingly give hackers the information they need to access user accounts. And thanks to the unreliability of mobile networks, they’re unreliable, and you won’t be informed if an authentication attempt fails.

“To recap: you’re GOING to use MFA,” Weinert correctly concluded. “For most users on their mobile devices, we believe the right answer is app-based authentication. For us, that means the Microsoft Authenticator. The Authenticator uses encrypted communication, allowing bi-directional communication on authentication status, and we’re currently working on adding even more context and control to the app to help users keep themselves safe. In just the last year, we’ve added app lock, hiding notifications from the lock screen, sign-in history in the app, and more – and this list will have grown by the time you plan your deployment, and keep growing while SMS and voice keep sitting still.”

It’s good advice. Follow it.

Tagged with , ,

Elevate the Conversation!

Join Thurrott Premium to enjoy our Premium comments.

Premium member comments on news posts will feature an elevated status that increases their visibility. This tab would allow you to participate in Premium comments with other premium members. Register to join the other Premium members in elevating the conversation!

Register or Subscribe

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register