Microsoft Issues Warning About 2 Factor Authentication
Microsoft is urging users to stop using phone-based 2 factor authentication (2FA) solutions like one-time codes sent via SMS and voice calls. These methods should be replaced with newer 2FA technologies, like app-based authenticators.
The warning comes from Alex Weinert, Director of Identity Security at Microsoft. According to internal Microsoft statistics, Weinert said in a blog post last year that users who enabled 2FA ended up blocking around 99.9% of automated attacks against their Microsoft accounts. In his recent blog post on 10th Nov 2020, Weinert states that if users must choose between multiple 2FA solutions, they should avoid phone-based 2FA.
Voice Calls & SMS Messages Are No Longer Secure
SMS and voice calls are transmitted in cleartext which can be easily hijacked by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.
In attacks known as SIM swapping, phone network employees are targeted by hackers and tricked into transferring phone numbers to a hackers SIM card, allowing attackers to receive these 2FA one-time codes instead.
Phone networks are exposed to changing regulations, downtimes, and performance issues, which impact the availability of the 2FA mechanism overall. This can prevent users from authenticating their accounts in times of urgency.
Microsoft Recommends the Authenticator App
Weinert says that users should enable a stronger 2FA mechanism for their accounts, recommending Microsoft’s Authenticator app as a good starting point.
SMS and voice calls are the least secure 2FA method today. The Microsoft exec believes that this gap between SMS & voice-based 2FA “will only widen” in the future.
However, this doesn’t mean that users should disable SMS or voice-based 2FA for their accounts. SMS 2FA is still better than no 2FA at all.
C3 Can Help
A review of your network and applications means we can advise on where we can configure 2FA for your business. We will work with you to establish what needs protected and assist in implementation and training on how to use it.
To protect your business, your customers and your reputation, get in touch below.
Read Alex Weinert’s full blog post here >> techcommunity.microsoft.com/2FA
‘How to’ video on setting up the Microsoft Authenticator app >> microsoft.com/2factor-authentication