- SIM-swapping scams and other techniques pose risk to those who rely upon phone-based authentication
- But don’t make the mistake of disabling MFA entirely – even vulnerable SMS-based MFA is better than no MFA at all
Regular readers of Hot for Security know that we’re big fans of multi-factor authentication (MFA, sometimes called two-factor authentication or 2FA).
Multi-factor authentication makes it much harder for hackers to break their way into your online accounts, even if they already know your password.
An online account protected by MFA will prompt you to enter a separate one-time code – often constructed out of six random digits that expire after a short period of time – after you have entered your password.
The thinking is that a malicious hacker may have managed to correctly guess your password, or cracked it, or phished it, or even exploited the fact that you used the same password somewhere else on the internet that later got breached, but they won’t – most likely – have access to your MFA authentication code.
So, my advice is to turn on multi-factor authentication where it is supported on as many of your accounts as possible, whether it is called MFA, 2FA, or even 2SV (two-step verification). It’s an excellent step to take which will harden the security of your online accounts.
But having MFA enabled is not a guarantee that your account will never get hacked, and that’s especially true if you are using phone-based MFA – which is often delivered via an SMS message.
As we have described before on a number of occasions, hackers have successfully pulled off a SIM-swapping scam.
If successful, a SIM swap (also known as a “Port out” scam) can mean that a criminal now has control over your phone number, and will receive any calls made to you and receive any SMS text messages.
In short, if you’re relying upon an SMS or voice message to deliver your MFA code to you it has now been handed straight to a potential hacker instead.
And it’s for that reason that Alex Weinert, Microsoft’s director of identity security, has this week urged users to stop using telephone voice messages and SMS text messages for MFA.
“These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today,” wrote Weinert. “That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages.”
So what should you do?
Weinert argues that you would be better off using a smartphone authentication app to generate your one-time-password.
Perhaps the best known authentication app, available for iOS and Android, is Google Authenticator, but others include Microsoft Authenticator, Duo, and Authy.
So what shouldn’t you do?
Please don’t disable SMS-based multi-factor authentication on your accounts if you don’t have another form of authentication to which to move. Even though SMS and voice calls are probably the least secure method of MFA, it is still better than nothing. So take steps to harden your security, but don’t throw the baby out with the bathwater.