Stop using your phone as a safety device says Microsoft
If you thought two-factor authentication (2FA) was great, Microsoft thinks otherwise. The company has called on individuals to stop using 2FA tools that use texting and voice calls instead of modern, more secure technology.
Standard 2FA works by sending a one-time code to a device of the user’s choice. This means that the account in question is only accessible if the user has both the correct password and the one-time code.
Microsoft’s director of identity services, Alex Weinert, however, said in his blog post that the low level of security of telephone networks means that these types of multi-factor authentication solutions are sorely lacking. Voice calls and SMS are transmitted in clear text and can be easily intercepted and SMS codes are also susceptible to phishing attacks.
Weinert also added that changing regulations and performance issues make phone networks poor choices for security tools.
Weinert explained, “Today I want to do what I can to convince you that it is time to move away from SMS and voice multifactor authentication mechanisms.”
These mechanisms are based on Public Switched Telephone Networks (PSTNs), and I believe they are the least secure of the MFA methods available today. This gap will only widen as the adoption of MFA increases the interest of attackers in cracking these methods and as specially crafted authenticators extend their security and usability benefits, he added. .
In his article, Weinert warned that as MFA (multi-factor authentication) solutions became more widely adopted, attackers “would focus more and more on finding vulnerabilities that weaken their effectiveness.”
He added that security-conscious people should adopt Microsoft’s Authenticator MFA app, or better yet, hardware security keys to protect themselves from attacks.