Microsoft is urging users to avoid using SMS and voice based multi-factor authentication (MFA) solutions and instead replace them with newer multi-factor authentication (MFA) technologies, like app-based authenticators and security keys. It was revealed last year that users who enabled multi-factor authentication ended up blocking 99.9% of automated attacks against their Microsoft accounts.
How does it work?
Users are now being asked to decide on an app based multi-factor authentication over telephone based multi-factor authentication for several known issues, not with multi-factor authentication, but with the state of the phone networks today. SMS and voice calls are transmitted in cleartext and may be easily intercepted by malicious attackers, using a range of techniques and tools like software-defined-radios, FEMTO cells, or Signal System No.7 intercept services. SMS based one-time codes are also susceptible to phishing via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx. Additionally, phone network employees may be tricked through social engineering into transferring phone numbers to a threat actor's SIM card in attacks known as SIM swapping, allowing attackers to receive multi-factor authentication one-time codes on behalf of their victims. Phone networks are also exposed to changing regulations, downtimes, and performance issues which impact the availability of the multi-factor authentication mechanism overall. This prevents users from authenticating on their account in moments of urgency.
The Guyana National CIRT recommends that users and administrators adhere to this tip and implement where necessary.
- Cimpanu, C. (2020, November 12). Microsoft urges users to stop using phone-based multi-factor authentication. Retrieved from ZDNet:
- Calburn, T. (2020, November 11). Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can't be SIM swapped. Retrieved from The Register: https://www.theregister.com/2020/11/11/microsoft_mfa_warning/