A recent article from the Microsoft Identity Division offers a strong case for no longer using text messaging (SMS) as a form of authorizing a multi-factor authentication (MFA) challenge. Currently, Microsoft allows for text (SMS), authenticator code, fast identity online (FIDO), and a voice call as options for authorization. You can learn more about the advantages of each in this article.
The issue with text messaging is that it is designed without encryption. This means text messages sent to your phone can be intercepted simply by eavesdropping on the signals going to your phone. Another form of this comes from a hacker using social engineering attacks. They work with your phone provider to transfer your number to a new phone by pretending to be you. Once that is done, all text messages will go to that new phone and hacker doesn’t even need to be near you for this to work.
Microsoft’s Director of Identity Security Alex Weinert says “Today, I want to do what I can to convince you that it’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today". Alex goes on to say, “Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option”.
At Emergent Software we agree that MFA is essential and using SMS is substantially better than using nothing at all, but we want to see organizations move away from SMS. My recommendation is for organizations to look at their current policies and see what can be done to modernize their approach. Simple things such as using a FIDO USB stick, Windows Hello, and Microsoft Auth App can go a long way for helping keep your identity from getting compromised.
Interested in learning more about how to keep your organization safe from vulnerabilities? Contact our team of experts today to get started.
To enable comments sign up for a Disqus account and enter your Disqus shortname in the Articulate node settings.