Microsoft experts have once again raised the issue of the insecurity of multi-factor authentication through the phone, that is, through one-time codes in SMS messages or voice calls. Instead, the company is calling for newer technologies, including authenticator applications and security keys.
This time, the warning comes from the company’s head of identity security, Alex Weinert.
However, Weinert now explains that if a user has a choice between several MFA methods, then in no case should he choose a phone.
The expert says that multi-factor authentication through the phone can depend at least on the state of the telephone networks. Since SMS messages and voice calls are transmitted in the clear, they can be easily intercepted by attackers using methods and tools such as SDR (Software-Defined Radio), FEMTO or various SS7 bugs.
In addition, one-time codes from SMS messages can be extracted using open source and available phishing tools such as Modlishka, CredSniper or Evilginx. Alternatively, employees of mobile operators can be deceived by fraudsters to swap the victim’s SIM card (such attacks are usually called SIM swap), which will allow attackers to obtain one-time MFA codes on behalf of the target.
The specialist advises users to use a more powerful multi-factor authentication mechanism, if available, and recommends the Microsoft Authenticator app. And if users only want the best, they should generally use hardware keys that Weinert called the best MFA solution last year.
Let me remind you that the point of view expressed by Weinert is not at all new. Back in 2016, the National Institute of Standards and Technology (NIST) submitted a document according to which the use of SMS messages for two-factor authentication will not be encouraged in the future. The document explicitly states that the use of SMS messages for two-factor authentication will be considered “invalid” and “insecure”.
Let me remind you that Researchers hacked TikTok app via SMS, and I also wrote that Attackers can bypass TikTok multi-factor authentication through the site.