Microsoft advises users to forgo phone-based two-factor authentication (MFA) solutions that allow obtaining security codes via SMS and voice calls as they are currently the least secure option.
This warning came from Alex Weinert, Director of Identity Security at Microsoft, where he indicated that passwords are no longer an effective way to prevent account breaches, and phone-based authentication solutions provide an additional layer of protection, but it is not guaranteed.
Why are phone-based two-factor authentication solutions becoming less secure?
(Alex Weinert) emphasized that using any form of two-factor authentication is better than relying only on a password to secure accounts, because it is a step that greatly increases the costs of hackers trying to penetrate your account, and this is the reason why the rate of penetration of accounts that use any type of Authentication is much less than password-only accounts.
(Alex) said in a post last year: “Users who enabled the two-factor authentication (MFA) feature on their accounts avoided about 99.9% of the robotic attacks that targeted their Microsoft accounts.”
But he emphasized in a recent report that handing over Authentication tokens over Public Telephone Networks (PSTN) is the least secure of the two-factor authentication methods available, for the following reasons:
- PSTN systems are not 100% reliable, which means that a message or call may not come when needed.
- Hackers can easily forward SMS messages or phone calls to another number by tricking telecom customer support staff into transferring phone numbers to another SIM card – attacks known as SIM swap, or SIM splitting -, allowing Hackers receive authentication codes on behalf of users.
- SMS and phone calls are designed without encryption and can be easily intercepted by hackers.
It is worth noting that (Jack Dorsey), founder and CEO of Twitter, was exposed to a SIM hack in August 2019, as hackers used the fraudulent process (SIM splitting) to access his phone number, which allowed them to create tweets via SMS and send them from the number to his account. On Twitter.
What is the best solution now?
Two-factor authentication is one of the most important security factors currently available to secure accounts so its importance is not currently in dispute, but with the increasing number of users for it, hackers will try to find new ways to obtain the required one-time authentication codes.
So (Alex Weinert) advises users to forgo phone-based authentication solutions and start using app-based authentication, and of course Microsoft Authenticator nomination.
There are also other applications that offer the same function, including: the (Google Authenticator) application, which provides you with codes to confirm identity that are difficult for the hacker to access because he must actually reach your phone.
But the ideal case is always to use a physical security key as you will not need to use a code to verify your identity, these devices often take the form of the USB device used in the authentication process, and are better than using an operating system-based program that can be used to hack your accounts in the event that you lose your phone. . . But with the security key, the hacker will need to steal it first in order to gain access to your account.