Microsoft is urging users to move away from phone messages for two-step verification. This specifically concerns SMS and voice messages. According to the company, they are vulnerable to interception. Microsoft recommends authentication apps as an alternative.
The warning is in a blog post by Alex Weinert. He previously wrote a much-discussed blog post about the future of passwords, in which he said that multi-factor authentication stops more than 99 percent of all phishing and hacking attempts on Microsoft accounts. Weinert is now advocating moving away from SMS and ‘voice’ as two-step verification methods. “These mechanisms are based on publicly switched telephone networks or pstns and I think these are the most insecure 2fa methods at the moment,” he writes in the blog post.
Weinert writes that any method of credential stealing on these PSTNs can be used. This can be done, for example, through phishing, social engineering, account takeovers and theft of a device.
One-time passwords are sent in plaintext for SMS and telephone messages. According to Weinert, that cannot simply change, because encryption would be impractical to apply to text messages, for example. SMS credentials are also said to be timeless, allowing more time to figure them out, unlike authentication apps where a code is usually only valid for thirty seconds.
Weinert does not write in the blog post how big the problems are around 2fa via SMS. It is therefore not known in how many cases this was circumvented with Microsoft accounts, for example, and in what ways this happened. According to Weinert, it is inevitable that two-step verification will eventually be deployed everywhere, but Microsoft thinks authentication apps are better suited for that. He himself recommends the Microsoft Authenticator, but users can use any kind of authentication app on different services.