[ad_1]
In context: Microsoft has been pushing for new security standards for years. Recently, the company has stepped up its efforts to remove passwords, and now Director of Identity Security Alex Weinert is urging the public to stay away from traditional two-factor authentication methods based on SMS.
Before we go any further, let’s clarify one thing: some two-factor authentication, even by SMS, is far, much better than no 2FA. Relying only on your password is a risky business, especially if you are reusing the same password on multiple websites or services.
However, of the many 2FA options available to users these days, authentication over the phone is the least secure, according to Weinert. First, he says, many of the tactics used by hackers to expose passwords that are not protected by an authenticator, such as device theft, “account takeover” and social engineering, work. still with SMS-based multi-factor authentication. In other words, it has few unique advantages.
What is that Is have, Weinert said, are several saybenefits. For starters, SMS-based 2FA is not ‘adaptable’. Because it is not software-based, it cannot change in response to new hacking strategies, technological advancements, or “user experience expectations”. It’s always the same thing.
Most importantly, both SMS and voice protocols are transmitted ‘in the clear’, which means any ‘determined’ attacker can intercept 2FA messages and phone calls to swipe your login codes.
“Unfortunately, customer support agents are vulnerable to charm, coercion, corruption or extortion.”
Weinert also believes that SMS-based 2FA is the simplest MFA method for social engineering. “Unfortunately, customer support agents are vulnerable to charm, coercion, corruption or extortion,” he wrote. “If these social engineering efforts are successful, customer support can provide SMS or voice channel access.”
Application-based solutions like Authy, or even hardware MFA methods like security keys, are both immune to social engineering: you are the only one who has access to the codes generated by these apps and they are very up-to-date. quickly (often in 15 to 30 seconds).
Weinert presents a number of other reasons to consider switching from SMS-based 2FA, but we’ve covered the most important ones here. Naturally, towards the end of his post, he recommends Microsoft Authenticator to anyone who might be looking for an MFA app.
However, if you don’t want to use Microsoft’s service, there are other options: Google Authenticator and Authy are both great alternatives, and the latter offers a desktop version.
Image Credit: Golubovystock
[ad_2]
Source link