Published on the 25/11/2020 | Written by Jonathan Cotton
In an unsecured world, voice and text-based verification doesn’t cut the MFA mustard…
Alex Weinert, Microsoft’s director of identity security says it’s time to ditch those text and voice multi-factor authentication passcodes in favour of something else (hint: Its Microsoft Authenticator).
“Multi-factor authentication (MFA) is essential – we are discussing which MFA method to use, not whether to use MFA,” writes Weinert in a November blog.
“I want to do what I can to convince you that it’s time to start your move away from the SMS and voice MFA mechanisms,” says Weinert.
“Your password is *definitely* terrible.”
Referring to a blog posted earlier this year, Weinert says that MFA-protected accounts are 99.9 percent less likely to be compromised than those relying on password-protection only.
“When it comes to composition and length, your password (mostly) doesn’t matter.
“That’s not to say your password isn’t terrible. It’s *definitely* terrible, given the likelihood that it gets guessed, intercepted, phished or re-used.”
In other words, what your password is doesn’t really matter, but your MFA does.
So what’s the problem with SMS as a method for proving who is who?
Weinert argues that authentication methods based on publicly switched telephone networks (PSTN) are ‘the least secure’ of the MFA methods available today.
“That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”
According to Weinart, PSTN accounts have ‘all the vulnerabilities of every other authenticator’ as well as a host of other issues specific to PSTN, including being vulnerable to phishing attacks, account takeovers and device theft.
There’s an inherent inflexibility in the SMS format too – messages can’t be made longer, or richer, or do much except send a one-time password in a text message or a phone call.
“SMS and voice formats aren’t adaptable, so the experiences and opportunities for innovations in usability and security are very limited.”
When SMS and voice protocols were developed, they were designed without encryption, says Weinert.
“From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them (there are other reasons too, like message bloat, which have prevented these from taking hold over the existing protocols).”
What this means is that traditional authentication signals are vulnerable to interception by ‘anyone who can get access to the switching network or within the radio range of a device’.
Voice-activated authentication methods help little, and bring human weakness into the mix, with customer support agents vulnerable to charm, coercion, bribery or extortion by bad actors.
“If these social engineering efforts succeed, customer support can provide access to the SMS or voice channel,” says Weinert. “While social engineering attacks impact email systems as well, the major email systems (eg Outlook, Gmail) have a more developed ‘muscle’ for preventing account compromise via their support ecosystems.”
This leaves SMS and voice channels vulnerable to everything from message intercept, to call forwarding attacks, to SIM jacking.
Inconsistencies in mobile operator service and an uncertain regulatory environment add to the delivery challenges.
“Due to the increase in spam in SMS formats, regulators have required regulations on identifying codes, transmit rates, message content, permission to send and response to messages like ‘STOP’.
“Unfortunately, however, these regulations change rapidly and are inconsistent from region to region and can (and have) resulted in major delivery outages. More outages, more user frustration.”
The solution to all this? Biometric-based authentication.
The app-based alternative
With SMS and voice authentication off the table, Weinert makes the case for Microsoft Authenticator.
“For most users on their mobile devices, we believe the right answer is app-based authentication. For us, that means the Microsoft Authenticator.”
Available for Android and iOS, Microsoft Authenticator uses devices, not passwords, to log into your Microsoft account. Users enter their username, then approve a notification sent to the device. Fingerprint, face ID, or PIN provides a second layer of security to the two-step verification process.
“The Authenticator uses encrypted communication, allowing bi-directional communication on authentication status, and we’re currently working on adding even more context and control to the app to help users keep themselves safe,” says Weinert.
And there’s more to come, he says, so hurry up and embrace authentication-by-app already.
“In just the last year, we’ve added app lock, hiding notifications from the lock screen, sign-in history in the app, and more – and this list will have grown by the time you plan your deployment, and keep growing while SMS and voice keep sitting still.”