Microsoft is asking individuals to abandon two-factor authentication (2FA (opens in new tab)) tools that still use SMS and voice calls in favor of more modern security technology.
Standard two-factor authentication solutions work by sending a one-time code to a chosen device. This means that a particular account can only be accessed if an individual is in possession of both the correct password and the one-time code.
However, Alex Weinert, Microsoft’s director of identity services, argues that the poor level of security surrounding telephone networks means these types of multi-factor authentication solutions are severely lacking. Both SMS and voice calls are transmitted in clear text and can be easily intercepted, while SMS codes are subject to phishing attacks. Changing regulations and performance issues also make phone networks poor choices for security tools.
- Here's our list of the best security keys (opens in new tab) for enhanced protection
- Check out our roundup of the best endpoint protection solutions (opens in new tab)
- Also, see our list of the best antivirus software (opens in new tab)
“Today, I want to do what I can to convince you that it’s time to start your move away from the SMS and voice multi-factor authentication mechanisms,” Weinert explained (opens in new tab). “These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”
Weinert rightly cautions that as MFA solutions become more widely adopted, attackers will increasingly focus on finding vulnerabilities that weaken their effectiveness. He argues that security-conscious individuals should adopt Microsoft's Authenticator MFA app (opens in new tab), or better yet, hardware security keys to protect themselves from attack.
Not that long ago, passwords were largely the only safeguards used for online solutions. But the security landscape has quickly moved from, and is now considering what the best multi-factor authentication (MFA) approach can be.
- And be sure to check out our list of the best Android privacy apps (opens in new tab)
Via ZDNet (opens in new tab)