In a recent blog post, Microsoft’s Director of Identity Security, Alex Weinert, urged users to embrace and enable MFA for their online accounts.
However, instead of opting for telephone-based multifactor authentication (MFA) solutions, which usually includes one-time codes sent via SMS and voice calls, Weinert asked them to use the newer MFA technologies, like app-based authenticators and security keys.
The blog, citing Microsoft’s internal statistics, details that users who had enabled multifactor authentication on their accounts were able to block around 99.9 percent of automated attacks. However, users should always stay away from phone-based multifactor authentication since the system is home to several known security issues. Although there have been no recorded security breaches when it comes to MFA, to be on the safe side, Microsoft users should avoid them.
According to the Microsoft executive, both SMS and voice calls are transmitted in cleartext. Attackers can easily intercept them using tools like software-defined-radios, FEMTO cells, or SS7 intercept services. Moreover, SMS-based one-time codes are phishable. The attackers don’t even need special tech for that. They can simply use open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.
Weinert has called SMS and Voice calls the ‘Least secure MFA method today’ and he believes that this gap between SMS & voice-based MFA “will only widen” in the future.
As more users adopt MFAs for their accounts, attackers will become more interested in breaking MFA methods, which is easier with SMS authentications and voice calls.
He recommends the Microsoft authenticator for better security.
Sub Social Apps Ko Chahyeh MS Ki Ye Apps Two Factors Login Allow Kare