If you are someone making use of multi-factor authentication solutions like SMS codes and voice calls, then you might want to reconsider.
Microsoft is currently urging users to adopt newer multi-factor authentication (MFA) technologies such as app-based authenticators and security keys instead of relying on the widely used older vulnerable methods.
Alex Weinert who is the Director of Identity Security at Microsoft, has issued a warning wherein he says users need to embrace the use of advanced security measures such as MFA and enable it on all online accounts.
Last year, Weinert, in a blog post about the same, cited internal statistics that Microsoft recorded over time which showed users who utilised or enabled multi-factor authentication aka MFA were able to successfully block close to 99.9% of automated attacks against their Microsoft accounts.
Now, today, in a follow-up blog, Weinert mentioned that if users have to choose between various MFA solutions that are available out there, they surely must make sure to stay away from the telephone-based ones.
According to the Microsoft executive, there currently lie several security issues with the state of telephone networks and therefore, both SMS and phone calls should not be relied upon for authentication purposes.
He explained that both voice calls and SMS get transmitted in cleartext and are not encrypted in any way. Thus, they can easily be intercepted by attackers who really know what they are doing. Determined threat actors can use multiple techniques and tools such as FEMTO cells, software-defined radios or SS7 intercept services to compromise your accounts easily.
Weinert also mentioned that SMS-based one-time codes could be obtained by malicious hackers using phishing as well. There are many readily available open-source tools such as Modishka, CredSniper and Evilginx, which can help accomplish tasks of this nature very easily.
Furthermore, besides intercepting the clear text, in case of voice calls, hackers can use social engineering tricks on phone network employees and then trick them into transferring phone numbers to their own SIM cards too. This particular method is known as SIM swapping, and it allows attackers to receive MFA codes without breaking much sweat.
Lastly and most importantly the biggest reason one must not rely on telephonic MFA services is because of the fact that phone networks are constantly subjected to changing regulations, performance issues, downtime and so on, which can impact the timely and regular availability of the MFA mechanism. Therefore, it is very much possible that users might not be able to authenticate their accounts sometimes, even if it is a moment of urgency.
It’s important to note that SMS and Voice based authentication process are the most popular and widely used security methods employed by most of the companies nowadays.
So, what exactly should be the perfect replacements for the defunct MFA methods?
Well, Weinert from Microsoft suggests that users can get started with the Microsoft’s Authenticator MFA app as it is an excellent example of what a stronger and superior MFA mechanism is supposed to be like.
However, if you are not comfortable with Microsoft suggestion, you can also look at Google Authenticator as well.
However, if users really want to up their security game to a whole new level altogether, the Microsoft Exec suggests they should use hardware security keys which he personally ranked as the best possible MFA solution out there in the last year’s blog.
All in all, it is well understood that passwords are no longer a viable way to secure your online identity, and while MFA solutions are also quickly getting replaced by newer more robust ones, one must always keep an eye out for what’s the next best possible option available at the moment.
Do you use an MFA solution for your online accounts? If so, which one? Let us know in the comments down below.
