Skip to main content
close search
site logo
Dive Brief

Voice, SMS not secure enough for multifactor authentication, Microsoft says

Published Nov. 16, 2020
David Jones's headshot
Reporter
Kendall Davis for CIO Dive

Dive Brief:

  • SMS and voice for multifactor authentication (MFA) are unreliable secondary methods of authentication, said Alex Weinert, director of identity security at Microsoft, in a blog post last week. Weinert supports widespread use of MFA beyond just passwords, citing major gaps in compromise rate. 
  • Weinert, who previously warned passwords were losing relevance, issued a call to develop more secure methods of confirming identity or lean on app-based alternatives. SMS and voice are based on publicly switched telephone networks (PSTN), that are the least secure options for MFA, Weinert said. 

  • "These mechanisms are based on publicly switched telephone networks and I believe they're the least secure of the MFA methods available today," Weinert wrote in the blog post. "That gap will only widen as MFA adoption increases attackers' interest in breaking these methods and purpose built authenticators extend their security and usability advantages."

Dive Insight:

Passwords and authentication dictate system access, yet their management has remained a pain for enterprises. While MFA adds additional layers of defense, easily-exploitable second factors can mean even the most secure password are vulnerable. 

SMS and voice protocols were developed they were designed without encryption, Weinert said. From a practical standpoint, organizations can't overlay encryption on top of SMS and voice or users would not be able to read them.

While Weinert is urging a move away from SMS and voice, he still strongly advocates for the use of MFA adoption to enhance security. Adding protection beyond the password raises the costs for attackers and the compromise rate for users using any type of MFA is less than 0.1% of the general population, he said. 

There has been a massive shift in recent years toward using mobile devices as the best option to confirm identity, Robb Reck, CISO at Ping Identity, said in an email. 

"As we become more attached to our phones, these devices offer one of the strongest ways of proving who we really are," Reck said. "Utilizing an app (vs. voice, SMS or the mobile device's browser) provides the convenience of push notifications, along with a customized experience that users are comfortable with."

Many parts of the world and significant demographic populations in the U.S. have not reached critical mass in the use of smartphones to completely rely on app use and eliminate the need for passwords, he said. 

"As we help those groups increase their adoption of smartphones, we will eventually reach a tipping point where we can make this switch," he said. "The benefits of hitting the tipping point are plentiful. We get improved security, the ability to implement truly passwordless flows based on user behavior and risk, and increased user engagement."

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell