Microsoft: Stop Using SMS for MFA

[steven36]

By Paul Thurrott

 

 

Microsoft this week made the case for moving away from SMS-based authentication in Multi-Factor Authentication (MFA) schemes, citing its insecurity.

 

“It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms,” Microsoft’s Alex Weinert writes. “These mechanisms are based on publicly-switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong [authentication] now – the authenticator app provides an immediate and evolving option.”

 

As I wrote years ago, 2FA/MFA is essential, and Weinert—an actual security expert—agrees: He says that MFA is the least you can do if you are at all serious about protecting your accounts. Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1 percent of the general population.

 

At the time of that article linked above, I recommended using an authenticator smartphone app, like Microsoft Authenticator, noting that text messaging (SMS)-based authentication was “falling out of favor.” Here, too, Weinert agrees, but he has data that should convince any holdouts.

 

SMS-based authentication, he says, is transmitted in the clear, meaning that it can’t be encrypted and “can be intercepted by anyone who can get access to the switching network or within the radio range of a device.” They are easy to socially engineer, enabling an SMS form of a phishing attack in which users can unknowingly give hackers the information they need to access user accounts. And thanks to the unreliability of mobile networks, they’re unreliable, and you won’t be informed if an authentication attempt fails.

 

“To recap: you’re GOING to use MFA,” Weinert correctly concluded. “For most users on their mobile devices, we believe the right answer is app-based authentication. For us, that means the Microsoft Authenticator. The Authenticator uses encrypted communication, allowing bi-directional communication on authentication status, and we’re currently working on adding even more context and control to the app to help users keep themselves safe. In just the last year, we’ve added app lock, hiding notifications from the lock screen, sign-in history in the app, and more – and this list will have grown by the time you plan your deployment, and keep growing while SMS and voice keep sitting still.”

 

It’s good advice. Follow it.

 

Source

[Karlston]

Microsoft wants you to ditch SMS-based multi-factor authentication mechanisms

 

With a large portion of people working from home in light of the ongoing pandemic, digital security and privacy has become more important than ever. And while we may not be observing the National Cyber Security Awareness Month (NCSAM) anymore, Microsoft has not given up on promoting cybersecurity initiatives.

 

Now, Alex Weinert, who is the Director of Identity Security at Microsoft, has penned a blog post highlighting the need to move away from multi-factor authentication (MFA) mechanisms which are based on publicly switched telephone networks (PSTN).

Image via Lisa Fotios from Pexels

 

The executive has highlighted various reasons to let go of MFA systems based on PSTN such as SMS and voice. However, Weinert has emphasized that MFA itself is essential, it's just the way people use it that should change.

 

To that end, the executive has stated that mechanisms based on PSTN are the least secure MFA methods out there because practically every exploitation technique such as phishing and account takeover can still be carried out. This situation is only expected to get worse once attackers shift their interest to breaking MFA systems, which is dependent upon how much of the public use them. Furthermore, PSTN messages aren't adaptable to different users either, so the potential to further improve security via them is limited.

 

Weinert went on to say that attackers can deploy software to intercept PSTN messages inflight on most networks, which means that this is yet another unique attack surface that is there to be exploited by malicious actors. He further stated that:

It’s worth noting that most PSTN systems are backed by online accounts and rich customer support infrastructure. Sadly, customer support agents are vulnerable to charm, coercion, bribery, or extortion. If these social engineering efforts succeed, customer support can provide access to the SMS or voice channel. While social engineering attacks impact email systems as well, the major email systems (e.g. Outlook, Gmail) have a more developed “muscle” for preventing account compromise via their support ecosystems. This leads to everything from message intercept, to call forwarding attacks, to SIM jacking.

 

Unfortunately, PSTN systems are not 100% reliable, and reporting is not 100% consistent. This is region and carrier dependent, but the path a message takes to you may influence how long it takes to get and whether you get it at all. In some cases, carriers report delivery when delivery has failed, and in others, delivery of messages can take a long enough time that users assume messages have been unable to get through. In some regions, delivery rates can be as low as 50%! Because SMS is “fire and forget,” the MFA provider has no real-time signal to indicate a problem and has to rely on statistical completion rates or helpdesk calls to detect problems. This means signal to users to offer alternatives or warn of an issue is difficult to provide.

The executive also noted that regulations regarding SMS and calls change rapidly and vary from region to region, which may result in outages when using MFA systems based on PSTN.

 

Moving forward, Weinert has recommended that people utilize MFA using app-based authentication such as Microsoft Authenticator, since it tackles almost all of the problems with PSTN systems highlighted in his blog post.

 

 

Microsoft wants you to ditch SMS-based multi-factor authentication mechanisms

 

[tarekma7]

 

Microsoft recommends using app-based authenticators and security keys instead.

 

Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.

 

The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft's behalf, urging users to embrace and enable MFA for their online accounts.

 

Citing internal Microsoft statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.

 

But in a follow-up blog post today, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from telephone-based MFA.

 

The Microsoft exec cites several known security issues, not with MFA, but with the state of the telephone networks today.

 

Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.

 

SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

 

Further, phone network employees can be tricked into transferring phone numbers to a threat actor's SIM card — in attacks known as SIM swapping—, allowing attackers to receive MFA one-time codes on behalf of their victims.

 

On top of these, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.

 

SMS AND VOICE CALLS ARE THE LEAST SECURE MFA METHOD TODAY

All of these make SMS and call-based MFA "the least secure of the MFA methods available today," according to Weinert.

 

The Microsoft exec believes that this gap between SMS & voice-based MFA "will only widen" in the future.

 

As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its large adoption.

 

Weinert says that users should enable a stronger MFA mechanism for their accounts, if available, recommending Microsoft's Authenticator MFA app as a good starting point.

 

But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.

 

PS: This shouldn't mean that users should disable SMS or voice-based MFA for their accounts. SMS MFA is still way better than no MFA.

 

Source

[meohmy]

Fat chance of avoiding when the banks are starting to insist on it.

 

[flash13]

@tarekma7

 

Topic Merged.