Microsoft: Authenticator More Secure than SMS for One-Time Passwords
PINs sent via SMS can’t be encrypted, making them less secure than authentication apps.
November 16, 2020
Microsoft is pressing companies to move away from sending one-time passwords over PSTN and SMS networks for multi-factor authentication (MFA).
Texting or sending voice-based one-time passwords carries some risk, Microsoft’s director of security, Alex Weinert, warned. Hackers can intercept the one-time passwords and penetrate a network or take over an account, he said. Likewise, SMS and voice sent over PSTNs increase the risk of customers falling victim to phishing and social engineering attacks.
“I believe they’re the least secure of the MFA methods available today,” Weinert noted in a blog. “That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”
Weinert said organizations that are using SMS and voice should transition to cryptographically protected credentials tools support Fast Identity Online (FIDO) Alliance standards. Nevertheless, Weinert emphasized that if you use SMS or PSTN-based one-time passwords, that’s still better than not using MFA. Likewise, he noted the risk is relatively low and that organizations that have not implemented MFA shouldn’t delay doing so.
“MFA is essential — we are discussing which MFA method to use, not whether to use MFA,” he noted.
Brian Sherman, a solutions engineer at Valeo Networks, a provider of managed security services, agreed.
Valeo Networks’ Brian Sherman
“Weaker MFA is always better than no MFA,” Sherman said. “Unfortunately, SMS was never intended to be used as a means of authentication.”
App-Based Authentication with Encryption
Rather than SMS or voice, organizations should use app-based authentication, according to Weinert. In Microsoft’s case, the tool of choice is Microsoft Authenticator. The app uses encrypted communication and allows bidirectional communication on authentication status, Weinert noted. Over the past year, Microsoft has added app lock, the ability to hide notifications from the lock screen, and sign-in history.
The problem with SMS and voice protocols sent over PSTNs is they weren’t designed to support encryption, according to Weinert.
“Signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device,” he noted.
Weiner raised that point last year, when he noted that “an attacker can deploy a software-defined-radio to intercept messages, or a nearby FEMTO, or use an SS7 intercept service to eavesdrop on the phone traffic.”
NIST Warnings
Microsoft isn’t the first company that has campaigned against using SMS or voice for MFA. Security experts have warned of the risks for several years. In 2016, the National Institute of Standards (NIST) initially proposed restricting the use of the networks for OTPs. While the agency softened its language, it still is not a recommended practice.
“We recommend our clients use app-based MFA whenever possible,” Valeo Networks’ Sherman said. “Under some specific scenarios we recommend physical keys; for example, if employees are not allowed to carry cellphones.”
In July, Google announced it was shifting from SMS and voice-based codes to phone prompts as its primary form of MFA. According to research conducted by Google last year, on-device prompts were a more secure than SMS. Cybercrooks were only successful with 1% of bulk phishing attempts with the phone prompts, which compares to 4% with SMS. Targeted attacks with phone prompts had a 10% success rate, compared with 26% with SMS. When used with security keys, no one successfully implemented a targeted or phishing attack.
For its part, 99% of Valeo Networks’ clients use MFA in some capacity, according to Sherman.
“I don’t think there are any that use strictly SMS,” he said. “It’s more of a mixed bag among the user base. I would say it’s roughly an even split between app based and SMS.”
Read more about:
MSPsAbout the Author
You May Also Like