Microsoft Corp (NASDAQ:MSFT) has told users to stop using SMS multi-factor authentication and adopt newer MFA techs such as app-based authenticators and security keys.
Hackers could target voice and SMS-based MFA
Alex Weinert, the company’s Identity Security Director, warned that voice and SMS MFA are the least secure multi-factor authentication methods currently available. Although any 2FA form is more secure than depending on a password, the use of SMS-based security is risky as it can be compromised through SIM swapping or interception by hackers. Over the past year, Weiner has been urging users to adopt and enable 2 factor authentications for their online accounts. Last year Wiener indicated in a blog post that users that had enabled MFA blocked almost 99.9% of automated attacks on their Microsoft accounts.
Weinert believes that the gap between voice and SMS-based MFA will continue to widen in the future. With MFA adoption increasing as users adopt MFA to their accounts, hackers will up their strategies to gain access to MFA, and the SMS-based MFA will be the primary target. He recommends Microsoft’s Authenticator as a starting point. But for enhanced security, users should adopt hardware security keys.
Telephone networks easily compromised by hackers
In a follow-up post, Weinert is now advising users that if they are using MFA solutions, they should shun telephone-based MFA. He cited several unidentified security issues with the current state of telephone networks. Weinert explained that transmission of voice calls and SMS is usually in clear text, which means hackers can intercept them through tools like FEMTO cells, SS7 intercept services, and software-defined-radios. Interestingly SMS-based codes are easily phishable through open source and available phishing tools such as Evilginx, CredSniper, and Modlishka.
Regarding sim swapping, telephone network employees can be compromised to transfer phone numbers to a hacker’s SIM card. This allows the hacker to receive MFA codes on behalf of victims. Another issue with phone networks is the changing regulations, performance issues, and downtimes, which affect the overall MFA mechanism. As a result, this prevents instant authentication of accounts at times of urgency.