Multi-factor authentication (MFA) – a cybersecurity measure that grants access to an account or application only after a user presents two or more pieces of evidence to prove they own the account – is often cited by experts as a simple but necessary protocol to protect against phishing attacks.
Users can usually select a few different wants to authenticate the account: email, security keys, authenticator apps, voice and SMS text messages.
However, in a new blog, Microsoft’s Director of Identity Security Alex Weinert suggests organizations should avoid using mobile phone-based authentication methods.
Those authentication methods are based on publicly switched telephone networks and are the least secure of the available MFA methods, according to Weinert, who used the post to highlight Microsoft’s Authenticator App.
“That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages,” Weinert writes.
“Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.”
Authenticating an account via a PSTN is inherently dangerous, Weinert writes.
“It’s worth noting that every mechanism to exploit a credential can be used on PSTN – OTP. Phish? Check. Social? Check. Account takeover? Check. Device theft? Check. Your PSTN account has all the vulnerabilities of every other authenticator and a host of other issues specific to PSTN.”
In addition, the messages are limited to simply sending one-time passwords in a short text or phone call without context.
Further, these messages are sent without encryption, are easy to social engineer and are subject to mobile operator performance and changing regulations.
The Microsoft Authenticator, Weinert writes, uses encrypted communication that allows bi-directional communication on authentication status. The company is also working on adding more context and control to the app.
Multi-factor authentication is a simple way to increase your internet security, and it’s quickly becoming anything but optional.
In a blog last year, Weinert wrote that MFA “is the least you can do if you are at all serious about protecting your accounts.
“Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population,” Weinert wrote.