Microsoft asks users to stop relying on their smartphone as a multi-factor authentication tool

Alex Weinert, associate director of identity security at Microsoft, has been promoting that users accept and enable multi-factor authentication solutions (MFA) as a way to protect your accounts online.

It is not mere personal conviction, but also a policy promoted by your company: according to the internal statistics they manage, Microsoft account users were able to block 99.9% of automated attacks they received, all thanks to multi-factor authentication.

Despite this, not all MFA systems are useful, nor are they merely recommended.. And that is why Weinert has begun to discourage the use of SMS-based authentication and calls to the mobile phone, a type of MFA quite popular today.

According to the Microsoft executive, his position is based on the threat posed by this method due to its security holes ... some holes not attributable to the multifactor technology itselfbut to mobile phone networks.

Your phone number - that's all it takes to hack your smartphone

Security holes ... and two alternatives

The key to the problem is that, although the methods criticized by Weinert resort to single-use codes, both SMS and voice calls send us these codes through unencrypted channels.

This means that messages can be easily intercepted by malware (such as Modlishka) or by spy systems (such as SS7), not to mention social engineering attacks against employees of the operators.

Add to that the coverage problems that can prevent us from authenticating in times of urgency, and we have the whole picture. Additionally, Weinert reminds us that as more users turn to these methods, there will be more cybercriminals trying to break your security.

Therefore, his recommendation for users is to bet on an MFA mechanism that he considers much more robust: the one based on authentication apps such as Microsoft Authenticator and Google Authenticator.

Although Weinert's true preference, the system he has more than once rated as the best MFA solution is the security keys hardware-based.

Via | Microsoft