Why is MFA over SMS/Voice not considered safe vs other MFA methods like TOTP & Authenticator apps?
I'll break down a blog post by Microsoft's VP of Identity Security @Alex_T_Weinert on why he considers SMS to be the least secure of MFA methods.
👇
I'll break down a blog post by Microsoft's VP of Identity Security @Alex_T_Weinert on why he considers SMS to be the least secure of MFA methods.
👇
Not all MFA authentication methods are equal. Some are stronger than others.
SMS and voice based MFA mechanisms are based on publicly switched telephone networks (PSTN).
💡Before we begin a quick reminder that any MFA is better than no MFA.
SMS and voice based MFA mechanisms are based on publicly switched telephone networks (PSTN).
💡Before we begin a quick reminder that any MFA is better than no MFA.
#1 Every mechanism to exploit a credential can be used on SMS/Voice!
🎣 Phish? ✅️
💬 Social? ✅️
👤 Account takeover? ✅️
🤳 Device theft? ✅️
SMS/Voice has all the vulnerabilities of every other authenticator and a host of other issues specific to SMS/Voice.
🎣 Phish? ✅️
💬 Social? ✅️
👤 Account takeover? ✅️
🤳 Device theft? ✅️
SMS/Voice has all the vulnerabilities of every other authenticator and a host of other issues specific to SMS/Voice.
#2 Legacy Protocol / Not Adaptable
Because so many devices rely on receiving SMS messages, the format of the messages is limited – we can’t make the messages richer, or longer, or do much of anything beyond sending the OTP in a short text message or a phone call.
Because so many devices rely on receiving SMS messages, the format of the messages is limited – we can’t make the messages richer, or longer, or do much of anything beyond sending the OTP in a short text message or a phone call.
#3 Transmitted in the Clear
When SMS and voice protocols were developed, they were designed without encryption. From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them.
When SMS and voice protocols were developed, they were designed without encryption. From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them.
#3...
What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device.
These interceptor devices and services are not even hard to find.
thespyphone.com
What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device.
These interceptor devices and services are not even hard to find.
thespyphone.com
#4 Easy to Social Engineer
Sadly customer support at phone companies are vulnerable to charm,coercion,bribery or extortion. If the social eng succeeds they can provide access to the account
This leads to everything from message intercept to call forwarding attacks to SIM jacking
Sadly customer support at phone companies are vulnerable to charm,coercion,bribery or extortion. If the social eng succeeds they can provide access to the account
This leads to everything from message intercept to call forwarding attacks to SIM jacking
#5 Subject to Mobile Operator Performance
Unfortunately, phone systems are not 100% reliable and reporting is not 100% consistent.
In some regions, delivery rates can be as low as 50%!
This means signal to users to offer alternatives or warn of an issue is difficult to provide
Unfortunately, phone systems are not 100% reliable and reporting is not 100% consistent.
In some regions, delivery rates can be as low as 50%!
This means signal to users to offer alternatives or warn of an issue is difficult to provide
#6 Limited Context
In practical terms, the text or voice mediums limit how much information can be communicated to a user – SMS carries 160 characters, 70 if not using GSM.
Once we get into languages which require encoding, the practical limit is only around half.
In practical terms, the text or voice mediums limit how much information can be communicated to a user – SMS carries 160 characters, 70 if not using GSM.
Once we get into languages which require encoding, the practical limit is only around half.
#7 Subject to Changing Regulations
Due to the increase in spam in SMS formats regulators have required regulations on transmit rates, message content, permission to send, and response to messages like “STOP.”
Implementing these changes can & has caused major delivery outages.
Due to the increase in spam in SMS formats regulators have required regulations on transmit rates, message content, permission to send, and response to messages like “STOP.”
Implementing these changes can & has caused major delivery outages.
Ok, to recap: you’re GOING to use MFA. Which MFA? Well, for most users on their mobile devices, we believe the right answer is app-based authentication.
For us, that means the Microsoft Authenticator app.
zdnet.com/google-amp/art…
For us, that means the Microsoft Authenticator app.
zdnet.com/google-amp/art…
This week you can catch up live on Twitter Spaces with the team from Microsoft that builds our Authenticator app. Learn about all the updates & have your questions answered.
@_LuthraRajat will be joining
Hosted by @markmorow @JefTek and @BaileyBercik
twitter.com/i/spaces/1YqKD…
@_LuthraRajat will be joining
Hosted by @markmorow @JefTek and @BaileyBercik
twitter.com/i/spaces/1YqKD…
Read the full blog post over at aka.ms/hangup
Liked this thread?
Feel free to follow me.
I try to post at least one Azure AD / Microsoft Identity related tip each week.
Feel free to follow me.
I try to post at least one Azure AD / Microsoft Identity related tip each week.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
