Microsoft has advised users to move away from SMS multi-factor authentication (MFA) in favour of more secure technologies.
In a blog post, director of identity security at Microsoft Alex Weinert described SMS and voice MFA “the least secure of the MFA methods available today”.
Of course, any form of 2FA will always be more secure than relying on a password alone, but SMS-based security can be compromised in the event of a SIM swapping attack or interception from a hacker.
A SIM swapping attack is when an attacker contacts an individual’s mobile phone provider, usually using details gathered from phishing or social engineering attacks, and tricks the provider into sending them a new SIM. This means texts and calls intended for the victim are diverted to the attacker’s device.
It is also possible for hackers to intercept unencrypted SMS and voice MFA, with Weinert explaining that attackers can deploy a software-defined-radio or an SS7 intercept service to access messages and calls before they reach their intended recipient.
He highlighted that the more widely used MFA becomes, the more hackers will focus their attentions on its vulnerabilities.
Furthermore, SMS and voice MFA formats aren’t adaptable, meaning it is difficult to update them in line with technical advances in security.
Therefore Weinert recommends multi-factor authentication apps such as Microsoft Authenticator or OneLogin, and physical security keys such as the YubiKey or Google Titan Key as more secure alternatives.
Jake Moore, cybersecurity specialist at ESET said:
“SMS-based 2FA has notoriously been weaker compared with physical security keys or authenticator app-based tokens. SMS messages can be hacked in a number of simple ways and remain at risk of SIM swapping attacks, where victims have their telecoms provider switch their SIM to another device without their knowledge. Then SMS one time passwords are sent to the attacker’s device. However, if SMS is the only 2FA option, it is still better than nothing.
“Authenticator apps are simple to use and should be a default app you install on your devices. To go one step further, hardware security tokens such as a given USB with private keys built-in are even more secure as they cannot be used in increasingly sophisticated social engineering techniques.”