Microsoft is urging companies to hang with phone-based MFA

Microsoft has urged organizations to move away from voice and SMS-based multi-factor authentication (MFA), arguing that systems that rely on telephone networks are becoming increasingly limited, inflexible and insecure.

Alex Weinert, Director of Identity Security, explained that while MFA is essential to protect users’ accounts, any mechanism used to abuse credentials – including phishing, account takeover and one-time passwords – can be implemented over public switched telephone networks (PSTN) .

They are also exposed to unique problems due to the fact that SMS and voice protocols are designed without encryption.

“From a practical usability perspective, we can’t overlay encryption over these protocols because users wouldn’t be able to read them. This means that signals can be intercepted by anyone who can access the switching network or within radio range of a device, ”continued Weinert.

“An attacker could deploy a software-defined radio to intercept messages, or use a nearby FEMTO, or use an SS7 interception service to eavesdrop on telephone traffic. This is a substantial and unique vulnerability in PSTN systems that is available to determined attackers. “

Social engineering attacks on mobile operators’ customer support agents are another possible way to compromise, leading to SIM card attacks, call forwarding and message interception, he added.

In March, Europol announced the arrest of two dozen individuals suspected of stealing millions via SIM swapping from mobile account hijacking.

Due to mobile operator performance issues and frequently changing regulations, downtime is not uncommon and it can be challenging for the MFA provider to alert the user to issues.

Essentially, SMS and voice formats are non-customizable, meaning new innovations and security enhancements cannot overlap. That’s why Weinert recommended encrypted authentication apps, such as Microsoft Authenticator, Google Authenticator or LastPass Authenticator.

Source link