Stop using phone-based multi-factor authentication; Microsoft

By Rahul Vaimal, Associate Editor
  • Follow author on
Multifactor Authentication
Representational Image

Global tech giant Microsoft has requested its users to reconsider their use of phone-based multi-factor authentication (MFA) solutions like one-time passcodes (OTP) sent via SMS and voice calls. 

Microsoft’s Director of Identity Security Alex Weinert had earlier advocated for the use of MFA technologies. The Microsoft official cited internal statistics which stated that users who used multi-factor authentication locked as much as 99.9% of automated attacks against their Microsoft accounts.

Alex Weinert who has been working along with Microsoft to promote the use of MFA solutions recommends users adopt newer technologies such as app-based authenticators and security keys over conventional phone-based methods to protect their presence online.

The security official stated that vulnerabilities with the telephone network which transmits all SMSes and voice calls as cleartext can be quickly hijacked by skilled attackers who use sophisticated tools to extract codes and credentials shared over lines.

According to Mr. Weinert, SMS-based one-time codes are also illegally retrievable via open source and readily-available phishing tools. He further added that phone network employees can be influenced or tricked into transferring phone numbers to a SIM held by a perpetrator in attacks known as SIM swapping which allows attackers to receive MFA one-time codes on behalf of their victims.

Mr. Weinert observed that as more and more people adopt multi-factor authentication to protect their accounts, the model becomes more lucrative for hackers to leverage and subsequently the weaker and widely used mobile-based methods will be targeted the most due to their evident vulnerabilities.