Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.
The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft's behalf, urging users to embrace and enable MFA for their online accounts.
Citing internal Microsoft statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.
But in a follow-up blog post today, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from telephone-based MFA.
The Microsoft exec cites several known security issues, not with MFA, but with the state of the telephone networks today.
Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.
SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.
Further, phone network employees can be tricked into transferring phone numbers to a threat actor's SIM card — in attacks known as SIM swapping—, allowing attackers to receive MFA one-time codes on behalf of their victims.
On top of these, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.
All of these make SMS and call-based MFA "the least secure of the MFA methods available today," according to Weinert.
The Microsoft exec believes that this gap between SMS & voice-based MFA "will only widen" in the future.
As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its large adoption.
Weinert says that users should enable a stronger MFA mechanism for their accounts, if available, recommending Microsoft's Authenticator MFA app as a good starting point.
But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.
PS: This shouldn't mean that users should disable SMS or voice-based MFA for their accounts. SMS MFA is still way better than no MFA.