Microsoft exec advises users to switch away from SMS-based two-factor authentication


Posts: 3,017   +590
In context: Microsoft has been pushing for new security standards for years. Recently, the company has amped up its efforts to kill off passwords, and now, company Director of Identity Security Alex Weinert is urging the public to stay away from traditional, SMS-based two-factor authentication methods.

Before moving any further, let's make one thing clear: some two-factor authentication, even SMS-based, is far, far better than no 2FA. Relying on your password alone is a risky endeavor, especially if you re-use the same password across multiple websites or services.

However, of the many 2FA options available to users these days, phone-based authentication is the least secure, according to Weinert. First, he says, many of the tactics used by hackers to expose passwords that aren't protected by an authenticator, such as device theft, "account takeover," and social engineering, still work with SMS-based multi-factor-authentication. In other words, it has few unique advantages.

What it does have, Weinert says, are several unique disadvantages. For starters, SMS-based 2FA is not "adaptable." Because it isn't software based, it cannot change in response to new hacking strategies, technological advances, or "user experience expectations." It's always the same.

More importantly, though, SMS and voice protocols are transmitted "in the clear," meaning any "determined" attacker can intercept 2FA messages and phone calls to swipe your login codes.

"Sadly, customer support agents are vulnerable to charm, coercion, bribery, or extortion."

Weinert also believes SMS-based 2FA is the easiest MFA method to social engineer. "Sadly, customer support agents are vulnerable to charm, coercion, bribery, or extortion," he writes. "If these social engineering efforts succeed, customer support can provide access to the SMS or voice channel."

App-based solutions like Authy, or even hardware MFA methods like security keys, are both immune to social engineering: you are the only one with access to the codes those apps generate, and they refresh very quickly (often within 15-30 seconds).

Weinert lays out a number of other reasons to consider switching away from SMS-based 2FA, but we've covered the most important ones here. Naturally, toward the end of his post, he recommends Microsoft Authenticator to anyone who might be looking for an MFA app.

However, if you don't want to use Microsoft's service, there are other options: Google Authenticator and Authy are both great alternatives, and the latter offers a desktop version.

Image credit: Golubovystock

Permalink to story.



Posts: 130   +287
Considering cellular providers still have garbage security for getting numbers switched to different SIMs, it's amazing how long it has taken for it to be recognized that SMS for 2FA is like putting a dead bolt on a screen door.


Posts: 886   +1,417
I personally use Microsoft Authenticator and it offers two important features for me, the first being encrypted backups to cloud. The other one is app lock, which for me uses Touch ID before unlocking the app each time I switch to it.

In addition, the QR code scanning is blazingly fast. Most of the time I barely get the code inside of the camera viewport before it’s finished scanning it. It also accepts a private key directly so you don’t have to use two devices + a camera to add 2FA.


Posts: 1,152   +1,684
Tell that to the services, not me. PlayStation did not support it until OS v8, that's like what, 2 months old? eToro doesn't support app auth either.