Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.
The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft’s behalf, urging users to embrace and enable MFA for their online accounts. Weinert says that if users have to choose between multiple MFA solutions, they should try to avoid telephone-based MFA.
The Microsoft exec cites several known security issues, not with MFA, but with the state of the telephone networks today. Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using various techniques and tools. Further, phone network employees can be tricked into transferring phone numbers to a threat actor’s SIM card — in attacks known as SIM swapping—, allowing attackers to receive MFA one-time codes on behalf of their victims.
On top of these strategies, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.
All of these make SMS and call-based MFA “the least secure of the MFA methods available today,” according to Weinert. For his recommendations on how to best protect yourself, read the article in its entirety here.