2 min read

Microsoft says it's time for you to stop using SMS and voice calls for multi-factor authentication

Graham CLULEY

November 12, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Microsoft says it's time for you to stop using SMS and voice calls for multi-factor authentication
  • SIM-swapping scams and other techniques pose risk to those who rely upon phone-based authentication
  • But don’t make the mistake of disabling MFA entirely – even vulnerable SMS-based MFA is better than no MFA at all

Regular readers of Hot for Security know that we’re big fans of multi-factor authentication (MFA, sometimes called two-factor authentication or 2FA).

Multi-factor authentication makes it much harder for hackers to break their way into your online accounts, even if they already know your password.

An online account protected by MFA will prompt you to enter a separate one-time code – often constructed out of six random digits that expire after a short period of time – after you have entered your password.

The thinking is that a malicious hacker may have managed to correctly guess your password, or cracked it, or phished it, or even exploited the fact that you used the same password somewhere else on the internet that later got breached, but they won’t – most likely – have access to your MFA authentication code.

So, my advice is to turn on multi-factor authentication where it is supported on as many of your accounts as possible, whether it is called MFA, 2FA, or even 2SV (two-step verification). It’s an excellent step to take which will harden the security of your online accounts.

But having MFA enabled is not a guarantee that your account will never get hacked, and that’s especially true if you are using phone-based MFA – which is often delivered via an SMS message.

As we have described before on a number of occasions, hackers have successfully pulled off a SIM-swapping scam.

If successful, a SIM swap (also known as a “Port out” scam) can mean that a criminal now has control over your phone number, and will receive any calls made to you and receive any SMS text messages.

In short, if you’re relying upon an SMS or voice message to deliver your MFA code to you it has now been handed straight to a potential hacker instead.

And it’s for that reason that Alex Weinert, Microsoft’s director of identity security, has this week urged users to stop using telephone voice messages and SMS text messages for MFA.

“These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they”re the least secure of the MFA methods available today,” wrote Weinert. “That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”

So what should you do?

Weinert argues that you would be better off using a smartphone authentication app to generate your one-time-password.

Perhaps the best known authentication app, available for iOS and Android, is Google Authenticator, but others include Microsoft Authenticator, Duo, and Authy.

So what shouldn’t you do?

Please don’t disable SMS-based multi-factor authentication on your accounts if you don’t have another form of authentication to which to move. Even though SMS and voice calls are probably the least secure method of MFA, it is still better than nothing. So take steps to harden your security, but don’t throw the baby out with the bathwater.

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Israeli Authorities Seized Severs of Breached Company for Not Cooperating Israeli Authorities Seized Severs of Breached Company for Not Cooperating
Silviu STAHIE

July 04, 2022

1 min read
FTC warns LGBTQ+ community of extortion scams targeting them on dating apps FTC warns LGBTQ+ community of extortion scams targeting them on dating apps
Graham CLULEY

July 01, 2022

2 min read
OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you? OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you?
Radu CRAHMALIUC

June 30, 2022

3 min read