Microsoft: Stop Using SMS for MFA

Posted on November 11, 2020 by Paul Thurrott in Cloud, Mobile with 26 Comments

Google Reveals Another Microsoft Vulnerability Before Its Fixed

Microsoft this week made the case for moving away from SMS-based authentication in Multi-Factor Authentication (MFA) schemes, citing its insecurity.

“It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms,” Microsoft’s Alex Weinert writes. “These mechanisms are based on publicly-switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong [authentication] now – the authenticator app provides an immediate and evolving option.”

As I wrote years ago, 2FA/MFA is essential, and Weinert—an actual security expert—agrees: He says that MFA is the least you can do if you are at all serious about protecting your accounts. Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1 percent of the general population.

At the time of that article linked above, I recommended using an authenticator smartphone app, like Microsoft Authenticator, noting that text messaging (SMS)-based authentication was “falling out of favor.” Here, too, Weinert agrees, but he has data that should convince any holdouts.

SMS-based authentication, he says, is transmitted in the clear, meaning that it can’t be encrypted and “can be intercepted by anyone who can get access to the switching network or within the radio range of a device.” They are easy to socially engineer, enabling an SMS form of a phishing attack in which users can unknowingly give hackers the information they need to access user accounts. And thanks to the unreliability of mobile networks, they’re unreliable, and you won’t be informed if an authentication attempt fails.

“To recap: you’re GOING to use MFA,” Weinert correctly concluded. “For most users on their mobile devices, we believe the right answer is app-based authentication. For us, that means the Microsoft Authenticator. The Authenticator uses encrypted communication, allowing bi-directional communication on authentication status, and we’re currently working on adding even more context and control to the app to help users keep themselves safe. In just the last year, we’ve added app lock, hiding notifications from the lock screen, sign-in history in the app, and more – and this list will have grown by the time you plan your deployment, and keep growing while SMS and voice keep sitting still.”

It’s good advice. Follow it.

Tagged with , ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (26)

26 responses to “Microsoft: Stop Using SMS for MFA”

  1. RonV42

    I tried to stop using SMS but the issue is many companies only allow SMS or a phone call as a second factor. Their use of the Authenticator option is no where to be found. I would prefer we move back to the MFA "Grid" where you can carry it in your wallet and enter when needed, no need to be connected to any device that can be spoofed. Possession factors are still one of the best choices out there.

  2. whistlerpro

    Texting as TFA was the subject recently on BBC Radio 4's Money Box, as it was causing issues for a blind credit card user who didn't have a mobile. With email removed as an option to authenticate, it does exclude some users, as they may not wish to invest in what may be quite expensive technology just so they can buy things online, for example. The alternative given by the credit card company was to phone customer services every time they needed to authenticate. Which sounds rubbish.

    I'm not sure app based authentication would have helped much either, but I guess there is a possibility of using that on a device other than a smartphone?

  3. brothernod

    Can you use the password less Authenticator to sign in on the Xbox?

  4. will

    Here is where I have issue with only using the app and not allowing for SMS or voice. When you use the app for authentication you are requiring that the employee use a device, that could be a personal device, for business reasons. If the employee gets some sort of reimbursement for the use of their device, then that is ok. However, some people might not want to use a personal device with an app installed for work reasons.

    I know that this might not be many people, but it is a legit issue for some. Just not sure what the best approach is for this. The other option is to use some sort of a token based system that would be issued to the employee that they could use to login, like the RSA tokens or a USB key system.

    • kjb434

      In reply to will:


      There are people who also don't have an iOS or Android device. I know several people who prefer using basic flip phones. They don't have a desire to use social media and will only check email (even work email) when they sit down at a PC.

      There is a contingent of people who just won't use a personal device for work.

  5. proftheory

    It's good you're telling the more tech aware audiance to where possible stop using SMS for 2FA but I know people who have enough trouble trying to answer their phone let alone send/receive SMS. To have them switch to any authenticator application is more than they are willing to do since I often get the reply "I'n no one. I have no money. And let them hack my computer."

  6. sgx_

    I understand it when attackers can intercept... But most all attacks are from very far... I like it more thay attackers have to enter a specific code which my users cannot accidentally accept or give.

    Mfa via authenticator app works well, but is too easy to miss when in a rush, you could accidentally allow an attacker in your account with a misclick.

  7. ebraiter

    Ahh.... The good old days of RSA tokens.

  8. tripleggg

    Unless you have the text go to your google voice number ... they’d have to hack google to crack that. Since text is rampant amongst companies (especially banks - mind boggling) as a second form of authentication ... and will be for many years to come, the google voice approach seems critical for a secure, faux mfa.

    • melektaus

      In reply to tripleggg: Great advice unless you live in one of the other 194 countries that don't have access to Google Voice.
      Still, only 7.2 billion people can't use it. That's not too bad.

  9. glenn8878

    I had problems with MFA in that it forced you into a complicated authentication scheme. Yet lately it gotten better so I began to use it again. SMS works well. Perhaps to remedy the situation is getting SMS encrypted, which should not be impossible. Does Apple iMessage solve the encryption problem?

    • truerock2

      In reply to glenn8878:

      Apple iMessage is end-to-end-encrypted. The private key is kept on the iPhone and the iPhone's iCloud account and in certain kinds of iPhone backups.

      But, when my bank sends a text message to my iPhone with a 2-factor-authentication-code I don't think end-to-end-encryption is used. If I reply to the text message from my bank, my reply is in a green bubble which means the text message is not encrypted.

  10. RobertJasiek

    Microsoft Authenticator is available for Android or iOS - both of which I do not trust for important authentication. Windows x64 or Linux would be better. However, any software / online operating system might be attacked or have bugs. Two-factor-authentification is fine in principle but should rely on safer means, such as smartcards or bank cards combined with offline-generated TAN.

  11. gregsedwards

    As someone who was recently locked out of my Microsoft account for almost a month due to an MFA issue (at least that's my suspicion as I never received a debrief following the resolution), I'm a little bit divided on this issue.

    My concern is that if/when the app setup fails for any number of reasons, then the user is potentially left out in the cold. For instance, if the authenticator app is on a phone that's lost/replaced without properly deactivating the account from the app, then it's extremely difficult to convince someone to help you rescue the account. SMS, by contrast, is directly tied to the phone number, which is less likely to be out of the end-user's reach to salvage. As long as I own the number, then I can easily access/reset the account.

    This is the position in which I found myself back in August. One day, out of the blue, I couldn't get into my MSA. I used MFA religiously and had the Microsoft Authenticator configured for my MSA, but it had me in a loop, whereby I would receive a challenge, and when I responded, I was taken to a generic "something is wrong with your account" page. And nobody could/would help me unlock my account. I suspect the issue had something to do with my son having tied my cell phone number to a free Teams account he created using his MSA, which should have been impossible without first disconnecting it from mine.

    But I digress. It was some kind of problem between Microsoft's back-end systems, and nobody seemed overly concerned about restoring my MSA access. As a business customer, I knew Microsoft had the staff and ability to instantly unlock any account. But this was a consumer-tier "free" MSA, not a business-class "paid" work account, so I was encouraged to just cut my losses and create a new one.

    And to be clear, "just create a new account, they're free" isn't really advice. I have thousands of dollars' worth of Xbox games, movies & TV, apps, and subscription services tied to that account. It's a big part of my online identity across numerous online services. I use it to manage my family and their purchases/subscriptions. You can't tell people to trust your basket with all their eggs and then, when they have a problem, tell them they really shouldn't put all their eggs in one basket like that.

    But I do inherently trust the Microsoft Authenticator and still do use it religiously. Once I got back into my account, I immediately reconnected it to the Authenticator app. I wouldn't trust a system with my identify if it didn't offer some kind of MFA option.

    Anyway, regarding the inherent problems with SMS being compromised, I feel that for most users, it's a question of convenience vs. security. And SMS-based MFA provides enough security without going overboard. It's like giving your spare house key to a trusted's not as secure as Fort Knox, but then again, maybe it doesn't need to be.

    Perhaps app-based authentication with SMS as a backup option is the way to go. That way, Microsoft could suggest app-based authentication as a primary solution, while still giving consumers the flexibility of self-service should the need arise. Either that or provide a trustworthy support escalation process. Otherwise, I think people will have a tough time trusting such a faceless behemoth with marshalling their identity verification.

    • dashrender

      In reply to gregsedwards:

      The obvious problem exists here - loss of one's phone number. There are many stories out there of hackers stealing your phone number through SIM swaps, etc.

      Really MS needs to have another secure way - say like One Time Passwords, that you could store in something like LastPass, or your safety deposit box that would allow recovery access.

      I agree that MS NEEDS a MUCH better solution for end users on their "free" services like you. You're absolutely right that most people live and die by their email address/MSA and can't just give it up.

      • IanYates82

        In reply to Dashrender:

        There's a whole page in the security settings page (go to account dot microsoft dot com)

        Here's mine for my personal MSA.

        Sign in is via the app (send sign-in notification option) but I can choose lots of other methods that I've configured.

        I can, and have, configured some app passwords too (originally for the xbox 360). That is a password that works *without* second factor. It's a password you don't get to choose, and you can only delete (ie, never view after its creation).

        Finally there are account recovery codes that you can generate at the bottom. That bypasses second-factor, etc too.

        2 years ago

        • infloop

          In reply to IanYates82:

          Yes. Microsoft does have a section on the bottom that allows you to generate a recovery code on the "Additional security options" page.

          Usually there is an option to generate recovery codes when setting up MFA on an account. The Google Authenticator PAM module for Linux generates a set of codes for one-time use to login if you don't have access to your TOTP generator, for example. Some services may generate more codes for your recovery set.

        • IanYates82

          In reply to IanYates82:

          My screenshot didn't seem to come with the post sorry...

  12. jcbeckman

    If only Authenticator was reliable on my Apple Watch (it is at least on the iPhone) and more widely used. I refuse to use Google anything if at all possible, so I'm not using their app. And as RonV42 notes, SMS is your only choice from a lot of places.

  13. sevenacids

    I think it's not as easy as he claims. Authenticator apps are good, but if encryption gets weakened by law (for example, there are attempts in the EU right now to implement secondary keys that allow man-in-the-middle attacks by authorities) there is a new target vector for attackers as well. Hiding sign-in history is also problematic because authorities and attackers could abuse that functionality to stay under the radar. Last but not least, there are always flaws in software, no matter if it is on the client or remote API side, that can be exploited even if the transport layer is a secure channel.

    SMS is not encrypted, but if implemented correctly, it is not as unsafe as one is made to believe. If the timeout for the validity of the code is small enough, and if it is depending on session data in the browser etc., it's really hard to abuse from a third-party. You're not safe from phishing attacks, but if you keep an eye on where you login or enter credentials, it's still OK.

    I think what's more important is notification messages when there are logins from unknown devices or unusual IP address ranges.

  14. wright_is

    You also missed out that in the past hackers have managed to social engineer replacement SIM cards out of the providers to intercept the SMS of the victim.