Microsoft Director of Identity Security Alex Weinert advised in “It’s Time to Hang Up on Phone Transports for Authentication” that it’s time to move on from public switched networks for authentication such as SMS and voice call one-time codes, and move to more secure MFA solutions such as app-based authenticators and security keys.
SMS based 2FA has notoriously been weaker compared with physical security keys or authenticator app-based tokens. SMS messages can be hacked in a number of simple ways and remain at risk of SIM swapping attacks, where victims have their telecoms provider switch their SIM to another device without their knowledge. Then SMS one time passwords are sent to the attacker’s device. However, if SMS is the only 2FA option, it is still better than nothing.
Authenticator apps are simple to use and should be a default app you install on your devices. To go one step further, hardware security tokens such as a given USB with private keys built-in are even more secure as they cannot be used in increasingly sophisticated social engineering techniques.
Passwords with less than 25 characters are easier to break into, and the highly organized and categorized wealth of data on the dark web makes finessing of logons easier than ever before.
Surprisingly, there are many financial institutions that don’t even enable 2FA, and that only allow passwords of up to a certain length – typically 20 characters or less. This shows they’re unserious about security, as are so many public services programs such as Medical. They require a high amount of personal data from participants but provide less than robust security to protect that data. Companies and organizations that offer only 20-character-or-less passwords are failing consumers and asking for trouble.
Also, another gap in the 2FA authentication stew: network service providers’ customer services staffs often aren’t trained on SIM Swapping phishing. An imposter can call and say I want my number to be attached to this phone, and then receive 2FA and conduct directed attacks. Stalker victims, those in abusive relationships, and high net worth individuals are particular targets. Such an attack leverages the trove of data available on social and the dark web such as social security numbers, mothers’ maiden names, etc., and starts with: “I lost my phone” or “I’m switching to a new phone…
Multi-factor authentication apps and security keys are the best way to prevent attacks, but very few companies use them, and consumer education is essentially non-existent. That’s got to change.
Microsoft\’s recommendation to move away from Phone and SMS based multi-factor authentication is timely and in line with what many in the industry have been saying for several years. It is far too easy for an attacker to spoof communication-based on phone calls and text messages, where App and Token-based solutions are much more robust and harder to bypass. Fortunately, security analytics tools can identify breached accounts. However, it is always better to use technologies that can prevent a breach in the first place.
I wouldn’t sound the alarm for everyone using phone-based 2FA. No security is perfect. A determined and well-funded actor with lots of time and resources can indeed defeat such 2FA security for worthy targets. But it does not mean everyone needs to worry about their bank’s 2FA using phones. It requires much more access than what a cybergang member in a foreign country would have access to. The only caveat to that is the social engineering tactics used to perform SIM swapping, which would transfer your phone number to someone else illegitimately.