Microsoft urges users to stop using phone-based multi-factor authentication

Microsoft urges users to stop using phone-based multi-factor authentication
Microsoft urges users to stop using phone-based multi-factor authentication

Microsoft urges users to ditch phone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies like app-based authenticators and security keys.

The warning comes from Alex Weinert, Director of Identity Security at Microsoft. Weinert has been campaigning for Microsoft for a year and encouraging users to use MFA for their online accounts.

Quoting internal Microsoft statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) blocked around 99.9% of automated attacks on their Microsoft accounts.

However, in a subsequent blog post, Weinert says that users who have to choose between multiple MFA solutions should stay away from phone-based MFA.

Microsoft Manager lists several known security problems, not with MFA, but with the state of the telephone networks today.

According to Weinert, both SMS and voice calls are transmitted in clear text and can be easily intercepted by determined attackers using techniques and tools such as software-defined radios, FEMTO cells or SS7 interception services.

SMS-based one-time codes can also be phishing-enabled via open source and readily available phishing tools such as Modlishka, CredSniper or Evilginx.

Additionally, telephone network workers can be tricked into transferring phone numbers to a threat actor’s SIM card – in what is known as SIM swapping attacks – so that attackers can obtain unique MFA codes on behalf of their victims.

Additionally, telephone networks are exposed to changing regulations, downtime, and performance issues, all of which affect the overall availability of the MFA mechanism, which in turn prevents users from authenticating to their account in an urgent manner.

SMS and voice calls are the least secure MFA method today

All of this makes SMS and call-based MFA “the least secure of the MFA methods available today,” according to Weinert.

The Microsoft manager believes that this gap between SMS and voice-based MFA will “only widen” in the future.

As the overall adoption of MFA increases and more users adopt MFA on their accounts, attackers will also be more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to their widespread adoption.

According to Weinert, users should enable a stronger MFA mechanism for their accounts, if available, and recommend Microsoft’s Authenticator MFA app as a good place to start.

However, if users want the best, they should use hardware security keys, which Weinert rated as the best MFA solution in a blog post he published last year.

PS: This shouldn’t mean that users should turn off SMS or voice-based MFA for their accounts. SMS MFA is still way better than no MFA.

These were the details of the news Microsoft urges users to stop using phone-based multi-factor authentication for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.

It is also worth noting that the original news has been published and is available at and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.