Multi-factor authentication is an important security measure to prevent compromised credentials from being used to gain access to accounts and sensitive data, but not all forms of MFA are equal. Earlier this year, Microsoft explained in a blog post that MFA is effective at blocking 99.9% of automated attacks on Microsoft accounts. While the advice remains the same – enable MFA on all accounts if possible – Microsoft is now urging users to stop using phone-based MFA solutions.
MFA is the use of multiple methods of authentication, which is usually a username and password in combination with another factor. The most common implementation of MFA is the use of SMS message or automated voice calls to provide a one-time code that is required in addition to a password before account access is granted.
The use of these phone-based MFA implementations is far better than no MFA at all, but there are potential security issues with telephone networks which could allow MFA controls to be bypassed. Therefore, if faced with a choice of different MFA implementations, users should opt for newer MFA technologies such as security keys and app-based authenticators.
In a recent follow up blog post to the July 2020 post urging users to implement MFA, Microsoft’s Director of Identity Security, Alex Weinert, explained some of the flaws in phone-based MFA. There is nothing wrong with MFA, which is effective at blocking attacks. The problem is how MFA codes are transmitted. SMS and voice calls are transmitted in cleartext, which means that if intercepted, codes can easily be obtained. Determined attackers could use a range of different methods to obtain those codes, such as SS7 intercept services or software-defined radios.
SIM swapping attacks could also be performed, where a threat actor contacts a phone company, impersonates an individual, and arranges to have their mobile number transferred to a different SIM card, which would allow any MFA codes or voice codes to be obtained. One-time SMS codes could also potentially be obtained using open source phishing tools such as CredSniper.
MFA can prevent 99.9% of attacks, but SMS and voice-based MFA are the least secure implementations, so should be avoided if other solutions are available. Weinert has suggested Microsoft’s Authenticator App is a much better alternative to SMS and voice call authentication, but for the best security protection hardware security keys should be used.
It is, however, important to stress that SMS and phone-based MFA is far more secure than not implementing MFA at all, so should be considered the minimum level of security for all accounts.