Microsoft Warns Against Using SMS-Based Two-Factor Authentication On Your Phone
Alex Weinert, a Partner Director of Identity Security at Microsoft, recently outlined several arguments in favor of abandoning SMS and voice MFA. SMS and voice MFA are based on publicly switched telephone networks (PSTN) or all the switched telephone networks throughout the globe. PSTNs are vulnerable to nearly every common exploit that other authenticators would encounter, but also have unique issues. According to Weinert, “signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device.” There are a wide variety of tools and services that could be used to intercept these signals.
Another issue with SMS and voice MFA is their lack of adaptability. There is little one can do to vary the content or length of these kinds of messages. Weinert therefore argued that “innovations in usability and security are very limited.” The nature of SMS and voice MFA also restricts the kind of information that can be communicated to users since messages are confined to 70-160 characters. He noted that this format makes it so that phishing messages can look just as legitimate as authentic messages.
It is also difficult for MFA providers to determine how many users actually received and interacted with their SMS or voice MFA messages. Some carriers will inform these providers of a message delivery failure, but this reporting is inconsistent. MFA providers are frequently unable to detect issues until it is too late.
Finally, there are a few human factors that can contribute to the unreliability of SMS and voice MFA. SMS requirements vary region by region and are ever-evolving. Help desk and customer service employees can also be vulnerable to the manipulation of attackers and can unintentionally give access to important information.
Weiner’s article is mostly an argument in favor of app-based authentication such as the Microsoft Authenticator app. Nevertheless, he presents many legitimate issues with SMS and voice MFA authentication. This form of MFA is convenient but horribly insecure. The takeover of several content creator accounts were recently done through malicious actors spoofing SMS MFA messages or by social engineering to access their phone carrier account. Some would argue that any kind of MFA is better than no MFA. No form of MFA is perfect, but the number of issues associated with this mechanism will hopefully encourage MFA providers to find alternative methods.