Technology giant Microsoft has exhorted users to stop telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls.
The company has instead asked users to replace them with newer MFA technologies, such as app-based authenticators and security keys. Alex Weinert, Director of Identity Security at Microsoft, has issued the warning.
Weinert has been championing on Microsoft’s behalf, advising users to hold and enable MFA for their online accounts. He also said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up stalling nearly 99.9% of automated attacks against their Microsoft accounts.
However, in another blog post on Thursday, Weinert said that if users had to choose between multiple MFA solutions, they should keep away from telephone-based MFA.
The Microsoft executive cited numerous known security issues, not with MFA, but with the state of the telephone networks, saying that both SMS and voice calls are communicated in clear text and can be easily interrupted by strongminded attackers.
SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.
Additionally, phone network employees can be deceived into moving phone numbers to a threat actor’s SIM card, allowing attackers to receive MFA one-time codes on behalf of their victims.