Not all Multifactor Authentication methods are created equal.
Multifactor Authentication (MFA) is a cybersecurity best practice that attempts to confirm the identity of someone before giving access to an account or data. MFA requires at least two forms of authentication. The most common is utilizing something you know (a password) and something you have (a smartphone). Rather than just asking for a password, a user might have to provide an additional key from an application, text message, phone call, fingerprint, or facial recognition before access is granted.
At SWICKtech we’ve long been an advocate of Multifactor Authentication, as passwords are no longer enough to protect against malicious attacks and intruders.
This month, Alex Weinert, Director of Identity Security at Microsoft urges people to stop using phone-based Multifactor Authentication methods, such as phone calls and text messages, due to their vulnerabilities. “Today, I want to do what I can to convince you that it’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.” Weinert writes.
It’s been known for quite some time that text messages and phone systems are more vulnerable to hijackers, as was demonstrated by a Bitcoin hack reported by Forbes in 2017.
In his blog this month, Wienert says that phone systems were developed to transmit ‘cleartext’ without encryption making them susceptible to software-defined-radios, FEMTO or a SS7 Intercept Service to eavesdrop on phone traffic.
Although phone systems may not be the most secure form of MFA, they are still essential. “We are discussing which MFA method to use, not whether to use MFA,” says Weinert. “Multi-factor Authentication (MFA) is the least you can do if you are at all serious about protecting your accounts. Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromised accounts using any type of MFA is less than 0.1% of the general population.”
A better and more secure form of MFA to use are application-based based authentication – like Google Authenticator or Microsoft Authenticator.
The key to IT security is to get passwords out of the hands of end users. If you need an expert IT team to help you discover the benefits of MFA and Password Managers, contact SWICKtech for a no-strings-attached consultation and free quote.