Microsoft Urges Firms to Hang Up on Phone-Based MFA
Microsoft has urged organizations to move away from voice and SMS-based multi-factor authentication (MFA), arguing that systems relying on phone networks are increasingly limited, inflexible and insecure.
Director of identity security, Alex Weinert, explained that, while MFA is essential to protecting users’ accounts, every mechanism used to exploit credentials — including phishing, account takeover and one-time passwords — can be deployed over publicly switched telephone networks (PSTN).
They are also exposed to unique issues by virtue of the fact that SMS and voice protocols were designed without encryption.
“From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them. What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device,” Weinert continued.
“An attacker can deploy a software-defined-radio to intercept messages, or a nearby FEMTO, or use an SS7 intercept service to eavesdrop on the phone traffic. This is a substantial and unique vulnerability in PSTN systems that is available to determined attackers.”
Social engineering attacks on mobile operators’ customer support agents are another potential route to compromise, leading to SIM swapping , call forwarding and message intercept attacks, he added.
In March, Europol announced the arrest of two dozen individuals suspected of stealing millions via SIM swapping mobile account hijacking.
Due to mobile operator performance issues and frequently changing regulations, downtime is not uncommon and it can be challenging for the MFA provider to alert the user to warn of difficulties.
Fundamentally, SMS and voice formats are not adaptable, meaning new innovations and security improvements can’t be overlayed. That’s why Weinert recommended encrypted authentication apps like Microsoft Authenticator, Google Authenticator or LastPass Authenticator.