Skip to main content

Microsoft wants you to stop using your phone as a security device

Phone security
(Image credit: Shutterstock)

Microsoft is asking individuals to abandon two-factor authentication (2FA) tools that still use SMS and voice calls in favor of more modern security technology. 

Standard two-factor authentication solutions work by sending a one-time code to a chosen device. This means that a particular account can only be accessed if an individual is in possession of both the correct password and the one-time code.

However, Alex Weinert, Microsoft’s director of identity services, argues that the poor level of security surrounding telephone networks means these types of multi-factor authentication solutions are severely lacking. Both SMS and voice calls are transmitted in clear text and can be easily intercepted, while SMS codes are subject to phishing attacks. Changing regulations and performance issues also make phone networks poor choices for security tools.

Multi-factor authentication

“Today, I want to do what I can to convince you that it’s time to start your move away from the SMS and voice multi-factor authentication mechanisms,” Weinert explained. “These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”

Weinert rightly cautions that as MFA solutions become more widely adopted, attackers will increasingly focus on finding vulnerabilities that weaken their effectiveness. He argues that security-conscious individuals should adopt Microsoft's Authenticator MFA app, or better yet, hardware security keys to protect themselves from attack.

Not that long ago, passwords were largely the only safeguards used for online solutions. But the security landscape has quickly moved from, and is now considering what the best multi-factor authentication (MFA) approach can be.

Via ZDNet