fbpx

Due to continued growth and investment we are hiring a range of positions from Support Desk Engineers to Marketing Executives: APPLY NOW

Microsoft Issues Warning About 2 Factor Authentication

Patrick Cassidy
Nov 16

Microsoft Issues Warning About 2 Factor Authentication

Microsoft is urging users to stop using phone-based 2 factor authentication (2FA) solutions like one-time codes sent via SMS and voice calls. These methods should be replaced with newer 2FA technologies, like app-based authenticators.

The warning comes from Alex Weinert, Director of Identity Security at Microsoft. According to internal Microsoft statistics, Weinert said in a blog post last year that users who enabled 2FA ended up blocking around 99.9% of automated attacks against their Microsoft accounts. In his recent blog post on 10th Nov 2020, Weinert states that if users must choose between multiple 2FA solutions, they should avoid phone-based 2FA.

Voice Calls & SMS Messages Are No Longer Secure

No Encryption

SMS and voice calls are transmitted in cleartext which can be easily hijacked by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.

SIM Swapping

In attacks known as SIM swapping, phone network employees are targeted by hackers and tricked into transferring phone numbers to a hackers SIM card, allowing attackers to receive these 2FA one-time codes instead.

Phone Networks

Phone networks are exposed to changing regulations, downtimes, and performance issues, which impact the availability of the 2FA mechanism overall. This can prevent users from authenticating their accounts in times of urgency.

Microsoft Recommends the Authenticator App

Weinert says that users should enable a stronger 2FA mechanism for their accounts, recommending Microsoft’s Authenticator app as a good starting point.

SMS and voice calls are the least secure 2FA method today. The Microsoft exec believes that this gap between SMS & voice-based 2FA “will only widen” in the future.

However, this doesn’t mean that users should disable SMS or voice-based 2FA for their accounts. SMS 2FA is still better than no 2FA at all.

C3 Can Help

A review of your network and applications means we can advise on where we can configure 2FA for your business. We will work with you to establish what needs protected and assist in implementation and training on how to use it.

To protect your business, your customers and your reputation, get in touch below.

ionic-it.com/contact-us/

hello@ionic-it.com

028 7964 5865

More Information

Read Alex Weinert’s full blog post here >> techcommunity.microsoft.com/2FA

‘How to’ video on setting up the Microsoft Authenticator app >> microsoft.com/2factor-authentication