Microsoft says skip SMS and voice multi-factor authentication

Firm argues some forms of MFA are vulnerable to social engineering attacks

Desktop monitor and mobile phone with hand pointing

Microsoft is warning businesses against using multi-factor authentication (MFA) systems that rely on voice and SMS due to security concerns. 

In a blog post, Microsoft director of identity security Alex Weinert provides a range of reasons why businesses should avoid SMS and voice MFA.

“These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today,” Weinert writes. “That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”

Lack of encryption

What’s particularly problematic with SMS and voice-based MFA is they use no encryption, making it easy for hackers to intercept them, according to Weinert. 

“From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them (there are other reasons too, like message bloat, which have prevented these from taking hold over the existing protocols)”

“What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device.”

Social engineering

Weinert also believes SMS and voice-based MFA are more susceptible to social engineering techniques. In particular, he says customer support agents are “vulnerable to charm, coercion, bribery, or extortion.” With those tactics, perpetrators could trick customer support representatives into providing “access to the SMS or voice channel.” 

Weinert adds, “While social engineering attacks impact email systems as well, the major email systems (e.g. Outlook, Gmail) have a more developed “muscle” for preventing account compromise via their support ecosystems. This leads to everything from message intercept, to call forwarding attacks, to SIM jacking.”

Performance issues

Another issue is that these systems can be affected by mobile operator performance, with Weinert explaining they “are not 100% reliable, and reporting is not 100% consistent.”

He also pointed out that evolving regulations make these techniques challenging. “Due to the increase in spam in SMS formats, regulators have required regulations on identifying codes, transmit rates, message content, permission to send, and response to messages like ‘STOP.’”

“Unfortunately, however, these regulations change rapidly and are inconsistent from region to region and can (and have) resulted in major delivery outages. More outages, more user frustration.”

Phishing threats

Furthermore, the lack of context in SMS and GSM communications makes phishing an even bigger threat to people who use these types of MFA. 

Weinert says, “In practical terms, the text or voice mediums limit how much information can be communicated to a user – SMS carries 160 characters, 70 if not using GSM, and once we get into languages which require encoding, the practical limit without message splitting is only around half that.“

“Phishing is a serious threat vector, and we want to empower the user with as much context as possible (or, using Windows Hello or FIDO, make phishing impossible) – SMS and voice formats restrict our ability to deliver the context under which authentication is being requested.”

Jake Moore, a security specialist at ESET, believes SMS-based MFA isn’t as safe as physical security keys or app-based tokens. 

He told ITPro, “SMS messages are easily hacked as they are not encrypted and are at risk of SIM swapping attacks. However, if this is the only option, then it is still better than not having any extra verification.”

“Authenticator apps should be one of the first apps you install on your device and be used with every account you own. To go one step further, hardware security tokens are even more secure as they cannot be used in sophisticated social engineering techniques.“

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

What is e-safety?
e safety

What is e-safety?

27 Jan 2021
Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
Mimecast links breach to SolarWinds hackers
Security

Mimecast links breach to SolarWinds hackers

27 Jan 2021
TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
Hackers are actively exploiting three Apple iOS flaws
exploits

Hackers are actively exploiting three Apple iOS flaws

27 Jan 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

26 Jan 2021