14 DAY TRIAL // While multi-factor authentication, or MFA, has become an essential part of the security arsenal belonging to every single Internet user out there, there are parts of it that need to be abandoned.
And these are SMS and voice MFA, Microsoft warns, as they are based on publicly switched telephone networks, or PSTN, which can easily be abused to expose your data.
These are the least secure of the MFA methods available today, Alex Weinert, Director of Identity Security at Microsoft, says in a post, especially because they’re not adaptable to each user and the information is transmitted in the clear.
“One of the significant advantages of services is that we can adapt to user experience expectations, technical advances, and attacker behavior in real-time. Unfortunately, the SMS and voice formats aren’t adaptable, so the experiences and opportunities for innovations in usability and security are very limited,” he says.
“When SMS and voice protocols were developed, they were designed without encryption. From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them (there are other reasons too, like message bloat, which have prevented these from taking hold over the existing protocols). What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device.”
App-based authentication, the best way to go
Furthermore, he says, PSTN systems are easy to social engineer and are subject to mobile operator performance, which means they’re not 100 percent reliable and not fully consistent.
Weinert says the best way to go is app-based authentication, and the Microsoft Authenticator that the Redmond-based software giant already offers should be part of your must-have apps if you already have a Microsoft account.
“The Authenticator uses encrypted communication, allowing bi-directional communication on authentication status, and we’re currently working on adding even more context and control to the app to help users keep themselves safe. In just the last year, we’ve added app lock, hiding notifications from the lock screen, sign-in history in the app, and more – and this list will have grown by the time you plan your deployment, and keep growing while SMS and voice keep sitting still,” Weinert concludes.