Alex Weinert, Director of Identity Security for Microsoft, is pushing Microsoft’s call. He and the company want users to embrace multi-factor authentication, but not through mobile phones. Phone solutions include SMS, one-off codes, and calls. Microsoft wants users to switch to better solutions like security keys, app-based authentication, and others. These are new MFA tools that provide more security. Weinert points to Microsoft data that shows those who use multi-factor authentication were able to block 99.9% of all automated attacks. These statistics reflect solely on Microsoft Accounts. While any MFA tool is good, he suggests phone-based solutions are easier to bypass.
— Alex Weinert (@Alex_T_Weinert) November 10, 2020 According to Weinert, the problem is security issues with phone networks, not so much the MFA tools themselves.
Inherent Dangers
For example, SMS and voice call MFA solutions rely on mobile networks that transmit in cleartext. Intercepting these transmissions is relatively easy through familiar tools used by hackers. Weinert also points out SMS solutions are open to phishing campaigns. “Today, I want to do what I can to convince you that it’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.” Naturally, Weinert suggests users use a Microsoft solution to handle their MFA. Specifically, the company’s Authenticator tool alongside hardware security keys.