Multi-Factor Authentication Warning from Microsoft

Multi-Factor Authentication Example

Multi-Factor Authentication (MFA) is becoming increasingly prevalent as a means of securing access to your business and personal data.  Hopefully, you’re already using MFA wherever possible.  If you’re not entirely sure what MFA is, you can read more about it in our blog here.

There are different methods of implementing MFA one can use.  Microsoft has begun recommending that telephone-based methods like one-time codes sent via SMS (text) and voice calls, no longer be used.  They are instead urging users to employ app-based authenticators, or security keys.

The Problem with Telephone-based MFA

According to Alex Weinert, Director of Identity Security at Microsoft, statistics show that 99.9% of automated attacks against Microsoft accounts are blocked for users who enable MFA.  One caveat, however, is that when choosing your method of MFA, it’s best to avoid telephone-based MFA options.  The problem is not with the MFA, but rather with the telephone networks.  Weinert says that “Both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers…”  It is also possible to “phish” SMS-based one-time codes using easy to find phishing tools.  Yet another area of vulnerability with this method is that phone network employees can unwittingly transfer your phone number to an imposter’s SIM card, allowing the attacker to receive MFA one-time codes on your behalf.  This is called SIM Swapping.   

Another issue with phone-based MFA is that it relies on phone networks, which can have downtime and network issues.  During such times, the MFA mechanism may not work, preventing you from accessing an account or data, which could be at a time of urgency. 

Stronger MFA Methods

Weinert recommends that users employ stronger MFA methods such as app-based authenticators, or security keys.  Microsoft’s own Authenticator MFA app is one option, free to download here.  Another free app is called “Authy”, which can be downloaded from here .  Paid-for options are also available such as Duo, providing a much longer list of supported applications plus many other add-on options. 

Even better than these apps, are hardware security keys.  These come in a variety of formats, including USB-1, USB-3, Lightning for iPhone users and keys that use Bluetooth.  They are easy to use, inexpensive, are less hassle and much more secure than other methods. 


To summarize, don’t disable SMS or voice-based MFA on your accounts, unless or until you implement one of the stronger methods.  Telephone-based methods are still far superior then no MFA at all.

If you would like to implement MFA for your business Microsoft 365 accounts and need assistance, please give us a call.

November 19, 2020 4:39:20 PM

Bill Boisvenue

Leave a Reply

Your email address will not be published. Required fields are marked *



Getting your computer network, phones and software applications to work shouldn’t be a monumental project;
yet we constantly hear from frustrated organizations like yours who call us when they’ve finally
had enough of the poor services and excuses from their current IT support firm.

Our offer of a FREE Service ticket is a no-risk way of introducing our services.
Let us diagnose and work on the computer problem of your choice and
find out what over 25 years of service excellence feels like.

Accepting this free offer in no way obligates you to do any further business with us but of course we hope you will!

1. Because our resources are not unlimited, the free service ticket will cover a maximum of 2 hours of remote support for 1 service issue.
2. Since customers who are the best fit for our services have a minimum of 10 computers, this free offer only applies to organizations of this size.
3. This offer applies only to organizations who are not already a customer of BSC Solutions Group.

Please fill out this form and a BSC Solutions Group “IT Guardian Angel”
will contact you within 24 hours.