[ad_1]
Microsoft is urging users to move away from phone-based multi-factor authentication (MFA) solutions, such as one-time codes sent via SMS and voice calls, and replace them instead with new MFA technologies, such as application-based authenticators and security keys.
The warning comes from Alex weinert, Director of Identity Security at Microsoft. For the past year, Weinert has championed Microsoft’s interests, urging users to adopt and enable multi-factor authentication for their online accounts.
Citing internal Microsoft statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up blocking about 99.9% of automated attacks against their Microsoft accounts.
But in a follow-up blog post today, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from MFA over the phone.
The Microsoft executive cites several known security issues, not with MFA, but with the state of telephone networks today.
Weinert claims that SMS and voice calls are transmitted in clear text and can be easily intercepted by determined attackers, using techniques and tools such as software-defined radios, FEMTO cells, or service provider. SS7 interception.
SMS-based one-time codes are also hashable via open source and readily available phishing tools like Modlishka, CredSniper or Evilginx.
In addition, telephone network employees may be tricked into transferring phone numbers to a threat actor’s SIM card – in attacks known as SIM card swapping – allowing attackers to receive MFA codes for use. unique on behalf of their victims.
In addition to this, phone networks are also exposed to changing regulations, downtime, and performance issues, all of which impact the availability of the MFA mechanism as a whole, which in turn prevents users to authenticate to their account in times of emergency.
SMS and voice calls are the least secure MFA method today
All of these make SMS and call-based MFA “the least secure of the MFA methods available today,” according to Weinert.
The Microsoft executive believes that this gap between SMS and voice-based MFA “will only widen” in the future.
As the adoption of MFA increases globally, with more and more users adopting MFA for their accounts, attackers will also be more interested in breaking MFA methods, with voice-based SMS and MFA becoming naturally their main target because of its massive adoption.
Weinert says users should enable a stronger MFA mechanism for their accounts, if available, recommending Microsoft’s MFA Authenticator app as a good place to start.
But if users want the best, they should go for hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.
PS: This should not mean that users have to disable SMS or voice multifactor authentication for their accounts. SMS MFA is still much better than no MFA.
[ad_2]
Source link