Use Authenticator Apps and move away from SMS and voice

Multi-Factor Authentication (MFA) has now been widely accepted and used as a best practice. All your creds are belong to us, is a nice blog that outlines vulnerabilities in credentials other than passwords and highlights the promise of passwordless, cryptographically protected creds like FIDO, Windows Hello, and the Authenticator App.

Now it's also time to move away from SMS and voice as your MFA mechanism.

These mechanisms are based on publicly switched telephone networks (PSTN), and probably are the least secure of the MFA methods available today.

Plan your move to passwordless strong authentication right now – the authenticator app provides an immediate and evolving option.

Let's be clear MFA is essential – we are discussing which MFA method to use, not whether to use MFA. Multi-factor Authentication (MFA) is the least you can do if you are at all serious about protecting your accounts and the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.

Why to go away from PSTN based mechanisms?

It’s worth noting that every mechanism to exploit a credential can be used on PSTN – OTP. Phish, social, account takeover, device theft,... Your PSTN account has all the vulnerabilities of every other authenticator and a host of other issues specific to PSTN.

As so many devices rely on receiving PSTN there's no way to improve the format or the messages to make them more secure.

SMS and voice were also designed without encryption as it made no sense at the time but it also can't be added in now as too many users rely on those messages. This means signals can be intercepted by anybody who can get access to the switching network or within the radio range of a device.

Most PSTN systems are also backed by online accounts and rich customer support infrastructure. Customer support agents are vulnerable to charm, coercion, bribery, or extortion.

Unfortunately, PSTN systems are not 100% reliable, and also reporting is not 100% consistent. It depends on the region and the carrier, but the path a message takes to you may influence how long it takes to get and whether you get it at all. Sometimes, carriers report delivery when delivery has failed, and in other occasions, delivery of messages can take so long users assume messages have been unable to get through. In some regions, delivery rates can be as low as 50%! Because SMS is “fire and forget,” the MFA provider has no real-time signal to indicate a problem and has to rely on statistical completion rates or helpdesk calls to detect problems.

SMS formats are also more and more subject of spam and there are some regulations in place nowadays but those regulations change rapidly and are inconsistent from region to region and at the end this results into more outages, more frustration.

In practical terms, the text or voice mediums limit how much information can be communicated to a user. SMS and voice formats restrict our ability to deliver the context under which authentication is being requested.

Conclusion

You’re GOING to use MFA if you're not using it already and it's just a matter of which MFA?

Well, for most users on their mobile devices, we believe the right answer is app-based authentication and for us, Microsoft supporters, that means the Microsoft Authenticator.

The Authenticator uses encrypted communication, allowing bi-directional communication on authentication status, and Microsoft is working on adding even more context and control to the app to help users keep themselves safe.

In just the last year, Microsoft added app lock, hiding notifications from the lock screen, sign-in history in the app, and more.

Hang up on PSTN and pick up the Microsoft Authenticator – your users will be happier and more secure.

You can find more details on this topic in this article: It's time to hang up on phone transports for authentication