While researchers say two-factor authenticate is not perfect, Microsoft wants you to stop using the SMS and voice Multi-Factor Authentication (MFA) mechanisms. Microsoft’s director of identity security Alex Weinert has put up a detailed blog post describing how phone-based multi-factor authentication is the least secure of the MFA methods available today.
Microsoft warns against phone-based MFA methods
It's time time to move on from publicly switched networks for authentication – https://t.co/ZVVtTl16is
— Alex Weinert *is hiring* DM me! (@Alex_T_Weinert) November 10, 2020
“That [security] gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages,” said Weinert. “Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.
There is no denying Microsoft is moving away from passwords for quite some time now. In one report from May 2020, the company said passwords are inconvenient and a drain on productivity. Microsoft reiterates MFA is essential. The point of discussion here is not whether to use MFA but which MFA method to use.
According to Microsoft, enabling multi-factor authentication (MFA) is the least you can do to protect your accounts. Microsoft also believes the rate of compromise of accounts utilizing some form of MFA is less than 0.1% of the general population. If you use anything beyond the password, it will significantly increase the costs for attackers.
Hackers can use vulnerabilities with public switched telephone networks (PSTN)-based MFA methods to their advantage to comprise all sorts of credentials and gain complete control over online accounts.
Disadvantages of using phone-based MFA mechanisms
Following are some of the drawbacks of phone-based multi-factor authentication mechanisms:
- Not adaptable
- Transmitted in the clear
- Easy to social engineer
- Subject to mobile operator performance
- Subject to changing regulations
- Limited context
What is the best way to go forward?
The question arises: Which MFA method is the most reliable one? Since most users access online accounts on their mobile devices, Microsoft believes app-based authentication is the right MFA technique. You can replace SMS-based OTP authentication with apps such as Google Authenticator and Microsoft Authenticator.
“The Authenticator uses encrypted communication, allowing bi-directional communication on authentication status, and we’re currently working on adding even more context and control to the app to help users keep themselves safe,” Weinert added.
Last year, Microsoft Authenticator received app lock features, in addition to ways to hide notifications from the lock screen, check sign-in history in the app and more.