If you thought two-factor authentication (2FA) was great, Microsoft thinks otherwise. The company has been asking individuals to stop using 2FA tools that use SMS and voice calls instead of more secure modern technology.
The standard 2FA works by sending a one-time code to a device of the user’s choice. That means that the account in question can only be accessed if the user has both the correct password and the one-time code.
Microsoft’s director of identity services, Alex Weinert, however, argued in his blog post that poor level of security surrounding telephone networks mean that these types of multi-factor authentication solutions are severely lacking. Both voice calls and SMS’ are transmitted in clear text and can be easily intercepted and SMS codes are also susceptible to phishing attacks.
Weinert also added that changing regulations and performance issues makes phone networks poor choices for security tools.
Weinert explained – “Today, I want to do what I can to convince you that it’s time to start your move away from the SMS and voice multi-factor authentication mechanisms,”.
“These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages,” he added.