IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft says skip SMS and voice multi-factor authentication

Firm argues some forms of MFA are vulnerable to social engineering attacks

Desktop monitor and mobile phone with hand pointing

Microsoft is warning businesses against using multi-factor authentication (MFA) systems that rely on voice and SMS due to security concerns. 

In a blog post, Microsoft director of identity security Alex Weinert provides a range of reasons why businesses should avoid SMS and voice MFA.

“These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today,” Weinert writes. “That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”

Lack of encryption

What’s particularly problematic with SMS and voice-based MFA is they use no encryption, making it easy for hackers to intercept them, according to Weinert. 

“From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them (there are other reasons too, like message bloat, which have prevented these from taking hold over the existing protocols)”

“What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device.”

Social engineering

Weinert also believes SMS and voice-based MFA are more susceptible to social engineering techniques. In particular, he says customer support agents are “vulnerable to charm, coercion, bribery, or extortion.” With those tactics, perpetrators could trick customer support representatives into providing “access to the SMS or voice channel.” 

Weinert adds, “While social engineering attacks impact email systems as well, the major email systems (e.g. Outlook, Gmail) have a more developed “muscle” for preventing account compromise via their support ecosystems. This leads to everything from message intercept, to call forwarding attacks, to SIM jacking.”

Performance issues

Another issue is that these systems can be affected by mobile operator performance, with Weinert explaining they “are not 100% reliable, and reporting is not 100% consistent.”

He also pointed out that evolving regulations make these techniques challenging. “Due to the increase in spam in SMS formats, regulators have required regulations on identifying codes, transmit rates, message content, permission to send, and response to messages like ‘STOP.’”

“Unfortunately, however, these regulations change rapidly and are inconsistent from region to region and can (and have) resulted in major delivery outages. More outages, more user frustration.”

Phishing threats

Furthermore, the lack of context in SMS and GSM communications makes phishing an even bigger threat to people who use these types of MFA. 

Weinert says, “In practical terms, the text or voice mediums limit how much information can be communicated to a user – SMS carries 160 characters, 70 if not using GSM, and once we get into languages which require encoding, the practical limit without message splitting is only around half that.“

“Phishing is a serious threat vector, and we want to empower the user with as much context as possible (or, using Windows Hello or FIDO, make phishing impossible) – SMS and voice formats restrict our ability to deliver the context under which authentication is being requested.”

Jake Moore, a security specialist at ESET, believes SMS-based MFA isn’t as safe as physical security keys or app-based tokens. 

He told ITPro, “SMS messages are easily hacked as they are not encrypted and are at risk of SIM swapping attacks. However, if this is the only option, then it is still better than not having any extra verification.”

“Authenticator apps should be one of the first apps you install on your device and be used with every account you own. To go one step further, hardware security tokens are even more secure as they cannot be used in sophisticated social engineering techniques.“

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download


Best free malware removal tools 2022

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide

CIAM buyer’s guide

6 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Swift exit: How the world cut off Russian banks

Swift exit: How the world cut off Russian banks

24 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022