Microsoft says skip SMS and voice multi-factor authentication

Firm argues some forms of MFA are vulnerable to social engineering attacks

Microsoft is warning businesses against using multi-factor authentication (MFA) systems that rely on voice and SMS due to security concerns. 

In a blog post, Microsoft director of identity security Alex Weinert provides a range of reasons why businesses should avoid SMS and voice MFA.

“These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today,” Weinert writes. “That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”

Lack of encryption

What’s particularly problematic with SMS and voice-based MFA is they use no encryption, making it easy for hackers to intercept them, according to Weinert. 

“From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them (there are other reasons too, like message bloat, which have prevented these from taking hold over the existing protocols)”

“What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device.”

Social engineering

Weinert also believes SMS and voice-based MFA are more susceptible to social engineering techniques. In particular, he says customer support agents are “vulnerable to charm, coercion, bribery, or extortion.” With those tactics, perpetrators could trick customer support representatives into providing “access to the SMS or voice channel.” 

Weinert adds, “While social engineering attacks impact email systems as well, the major email systems (e.g. Outlook, Gmail) have a more developed “muscle” for preventing account compromise via their support ecosystems. This leads to everything from message intercept, to call forwarding attacks, to SIM jacking.”

Performance issues

Another issue is that these systems can be affected by mobile operator performance, with Weinert explaining they “are not 100% reliable, and reporting is not 100% consistent.”

He also pointed out that evolving regulations make these techniques challenging. “Due to the increase in spam in SMS formats, regulators have required regulations on identifying codes, transmit rates, message content, permission to send, and response to messages like ‘STOP.’”

“Unfortunately, however, these regulations change rapidly and are inconsistent from region to region and can (and have) resulted in major delivery outages. More outages, more user frustration.”

Phishing threats

Furthermore, the lack of context in SMS and GSM communications makes phishing an even bigger threat to people who use these types of MFA. 

Weinert says, “In practical terms, the text or voice mediums limit how much information can be communicated to a user – SMS carries 160 characters, 70 if not using GSM, and once we get into languages which require encoding, the practical limit without message splitting is only around half that.“

“Phishing is a serious threat vector, and we want to empower the user with as much context as possible (or, using Windows Hello or FIDO, make phishing impossible) – SMS and voice formats restrict our ability to deliver the context under which authentication is being requested.”

Jake Moore, a security specialist at ESET, believes SMS-based MFA isn’t as safe as physical security keys or app-based tokens. 

He told ITPro, “SMS messages are easily hacked as they are not encrypted and are at risk of SIM swapping attacks. However, if this is the only option, then it is still better than not having any extra verification.”

“Authenticator apps should be one of the first apps you install on your device and be used with every account you own. To go one step further, hardware security tokens are even more secure as they cannot be used in sophisticated social engineering techniques.“

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

What are biometrics?
Security

What are biometrics?

27 Nov 2020
Black Friday's best antivirus deals
Security

Black Friday's best antivirus deals

27 Nov 2020
Veritas Access Appliance with IBM Spectrum® Protect
Server & storage

Veritas Access Appliance with IBM Spectrum® Protect

27 Nov 2020
Ransomware protection with Veritas NetBackup Appliances
Security

Ransomware protection with Veritas NetBackup Appliances

27 Nov 2020

Most Popular

46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020