Microsoft says it's time for you to stop using SMS and voice calls for multi-factor authentication
- SIM-swapping scams and other techniques pose risk to those who rely upon phone-based authentication
- But don’t make the mistake of disabling MFA entirely – even vulnerable SMS-based MFA is better than no MFA at all
Regular readers of Hot for Security know that we’re big fans of multi-factor authentication (MFA, sometimes called two-factor authentication or 2FA).
Multi-factor authentication makes it much harder for hackers to break their way into your online accounts, even if they already know your password.
An online account protected by MFA will prompt you to enter a separate one-time code – often constructed out of six random digits that expire after a short period of time – after you have entered your password.
The thinking is that a malicious hacker may have managed to correctly guess your password, or cracked it, or phished it, or even exploited the fact that you used the same password somewhere else on the internet that later got breached, but they won’t – most likely – have access to your MFA authentication code.
So, my advice is to turn on multi-factor authentication where it is supported on as many of your accounts as possible, whether it is called MFA, 2FA, or even 2SV (two-step verification). It’s an excellent step to take which will harden the security of your online accounts.
But having MFA enabled is not a guarantee that your account will never get hacked, and that’s especially true if you are using phone-based MFA – which is often delivered via an SMS message.
If successful, a SIM swap (also known as a “Port out” scam) can mean that a criminal now has control over your phone number, and will receive any calls made to you and receive any SMS text messages.
In short, if you’re relying upon an SMS or voice message to deliver your MFA code to you it has now been handed straight to a potential hacker instead.
And it’s for that reason that Alex Weinert, Microsoft’s director of identity security, has this week urged users to stop using telephone voice messages and SMS text messages for MFA.
“These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they”re the least secure of the MFA methods available today,” wrote Weinert. “That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”
So what should you do?
Weinert argues that you would be better off using a smartphone authentication app to generate your one-time-password.
Perhaps the best known authentication app, available for iOS and Android, is Google Authenticator, but others include Microsoft Authenticator, Duo, and Authy.
So what shouldn’t you do?
Please don’t disable SMS-based multi-factor authentication on your accounts if you don’t have another form of authentication to which to move. Even though SMS and voice calls are probably the least secure method of MFA, it is still better than nothing. So take steps to harden your security, but don’t throw the baby out with the bathwater.
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US
July 16, 2021
How to protect yourself against cyberstalking
July 06, 2021
The Top Five Security Risks Smartphone Users Face Today
July 02, 2021
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials
July 02, 2021
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger
June 30, 2021
Mobile security threats: reality or myth?
June 13, 2021
FOLLOW US ON
You might also like
July 23, 2021
July 22, 2021
July 20, 2021