Multi-Factor Authentication Warning from Microsoft

Multi-Factor Authentication Example

Multi-Factor Authentication (MFA) is becoming increasingly prevalent as a means of securing access to your business and personal data.  Hopefully, you’re already using MFA wherever possible.  If you’re not entirely sure what MFA is, you can read more about it in our blog here.

There are different methods of implementing MFA one can use.  Microsoft has begun recommending that telephone-based methods like one-time codes sent via SMS (text) and voice calls, no longer be used.  They are instead urging users to employ app-based authenticators, or security keys.

The Problem with Telephone-based MFA

According to Alex Weinert, Director of Identity Security at Microsoft, statistics show that 99.9% of automated attacks against Microsoft accounts are blocked for users who enable MFA.  One caveat, however, is that when choosing your method of MFA, it’s best to avoid telephone-based MFA options.  The problem is not with the MFA, but rather with the telephone networks.  Weinert says that “Both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers…”  It is also possible to “phish” SMS-based one-time codes using easy to find phishing tools.  Yet another area of vulnerability with this method is that phone network employees can unwittingly transfer your phone number to an imposter’s SIM card, allowing the attacker to receive MFA one-time codes on your behalf.  This is called SIM Swapping.   

Another issue with phone-based MFA is that it relies on phone networks, which can have downtime and network issues.  During such times, the MFA mechanism may not work, preventing you from accessing an account or data, which could be at a time of urgency. 

Stronger MFA Methods

Weinert recommends that users employ stronger MFA methods such as app-based authenticators, or security keys.  Microsoft’s own Authenticator MFA app is one option, free to download here.  Another free app is called “Authy”, which can be downloaded from here .  Paid-for options are also available such as Duo, providing a much longer list of supported applications plus many other add-on options. 

Even better than these apps, are hardware security keys.  These come in a variety of formats, including USB-1, USB-3, Lightning for iPhone users and keys that use Bluetooth.  They are easy to use, inexpensive, are less hassle and much more secure than other methods. 

Summary

To summarize, don’t disable SMS or voice-based MFA on your accounts, unless or until you implement one of the stronger methods.  Telephone-based methods are still far superior then no MFA at all.

If you would like to implement MFA for your business Microsoft 365 accounts and need assistance, please give us a call.