Microsoft has advised users to move away from SMS multi-factor authentication (MFA) in favour of more secure technologies.

In a blog post, director of identity security at Microsoft Alex Weinert described SMS and voice MFA “the least secure of the MFA methods available today”.

Of course, any form of 2FA will always be more secure than relying on a password alone, but SMS-based security can be compromised in the event of a SIM swapping attack or interception from a hacker.

A SIM swapping attack is when an attacker contacts an individual’s mobile phone provider, usually using details gathered from phishing or social engineering attacks, and tricks the provider into sending them a new SIM. This means texts and calls intended for the victim are diverted to the attacker’s device.

It is also possible for hackers to intercept unencrypted SMS and voice MFA, with Weinert explaining that attackers can deploy a software-defined-radio or an SS7 intercept service to access messages and calls before they reach their intended recipient.

He highlighted that the more widely used MFA becomes, the more hackers will focus their attentions on its vulnerabilities.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Furthermore, SMS and voice MFA formats aren’t adaptable, meaning it is difficult to update them in line with technical advances in security.

Therefore Weinert recommends multi-factor authentication apps such as Microsoft Authenticator or OneLogin, and physical security keys such as the YubiKey or Google Titan Key as more secure alternatives.

Jake Moore, cybersecurity specialist at ESET said:

“SMS-based 2FA has notoriously been weaker compared with physical security keys or authenticator app-based tokens. SMS messages can be hacked in a number of simple ways and remain at risk of SIM swapping attacks, where victims have their telecoms provider switch their SIM to another device without their knowledge. Then SMS one time passwords are sent to the attacker’s device. However, if SMS is the only 2FA option, it is still better than nothing.

“Authenticator apps are simple to use and should be a default app you install on your devices. To go one step further, hardware security tokens such as a given USB with private keys built-in are even more secure as they cannot be used in increasingly sophisticated social engineering techniques.”


Read More: “Better late than never”: Zoom boosts security with 2FA.