Microsoft: Move Away From Phone-based Multi-factor Authentication – TechDecisions

Multi-factor authentication (MFA) a cybersecurity measure that grants access to an account or application only after a user presents two or more pieces of evidence to prove they own the account is often cited by experts as a simple but necessary protocol to protect against phishing attacks.

Users can usually select a few different wants to authenticate the account: email, security keys, authenticator apps, voice and SMS text messages.

However, in a new blog, Microsofts Director of Identity Security Alex Weinert suggests organizations should avoid using mobile phone-based authentication methods.

Those authentication methods are based on publicly switched telephone networks and are the least secure of the available MFA methods, according to Weinert, who used the post to highlight Microsofts Authenticator App.

That gap will only widen as MFA adoption increases attackers interest in breaking these methods and purpose-built authenticators extend their security and usability advantages, Weinert writes.

Plan your move to passwordless strong auth now the authenticator app provides an immediate and evolving option.

Authenticating an account via a PSTN is inherently dangerous, Weinert writes.

Read Next: Study: Tiny Visual Cues Can Give Hackers Your Password On Video Calls

Its worth noting that every mechanism to exploit a credential can be used on PSTN OTP. Phish? Check. Social? Check. Account takeover? Check. Device theft? Check. Your PSTN account has all the vulnerabilities of every other authenticator and a host of other issues specific to PSTN.

In addition, the messages are limited to simply sending one-time passwords in a short text or phone call without context.

Further, these messages are sent without encryption, are easy to social engineer and are subject to mobile operator performance and changing regulations.

The Microsoft Authenticator, Weinert writes, uses encrypted communication that allows bi-directional communication on authentication status. The company is also working on adding more context and control to the app.

Multi-factor authentication is a simple way to increase your internet security, and its quickly becoming anything but optional.

In a blog last year, Weinert wrote that MFA is the least you can do if you are at all serious about protecting your accounts.

Use ofanythingbeyond the password significantly increases the costs for attackers, which is whythe rate of compromise of accounts using any type of MFA is less than 0.1% of the general population, Weinert wrote.

Read more here:
Microsoft: Move Away From Phone-based Multi-factor Authentication - TechDecisions

Related Posts

Comments are closed.