Microsoft has been pushing for new security standards for years. Recently, the company has amped up its efforts to kill off passwords, and now, company Director of Identity Security Alex Weinert is urging the public to stay away from traditional, SMS-based two-factor authentication methods.
Before moving any further, let’s make one thing clear: some two-factor authentication, even SMS-based, is far, far better than no 2FA. Relying on your password alone is a risky endeavor, especially if you re-use the same password across multiple websites or services.
However, of the many 2FA options available to users these days, phone-based authentication is the least secure, according to Weinert. First, he says, many of the tactics used by hackers to expose passwords that aren’t protected by an authenticator, such as device theft, “account takeover,” and social engineering, still work with SMS-based multi-factor-authentication. In other words, it has few unique advantages.
What it does have, Weinert says, are several unique disadvantages. For starters, SMS-based 2FA is not “adaptable.” Because it isn’t software based, it cannot change in response to new hacking strategies, technological advances, or “user experience expectations.” It’s always the same.
More importantly, though, SMS and voice protocols are transmitted “in the clear,” meaning any “determined” attacker can intercept 2FA messages and phone calls to swipe your login codes.
“Sadly, customer support agents are vulnerable to charm, coercion, bribery, or extortion.”
Weinert also believes SMS-based 2FA is the easiest MFA method to social engineer. “Sadly, customer support agents are vulnerable to charm, coercion, bribery, or extortion,” he writes. “If these social engineering efforts succeed, customer support can provide access to the SMS or voice channel.”
App-based solutions like Authy, or even hardware MFA methods like security keys, are both immune to social engineering: you are the only one with access to the codes those apps generate, and they refresh very quickly (often within 15-30 seconds).
Weinert lays out a number of other reasons to consider switching away from SMS-based 2FA, but we’ve covered the most important ones here. Naturally, toward the end of his post, he recommends Microsoft Authenticator to anyone who might be looking for an MFA app.
However, if you don’t want to use Microsoft’s service, there are other options: Google Authenticator and Authy are both great alternatives, and the latter offers a desktop version.