Here's Why Microsoft Wants You to Stop Using SMS and Voice-Based Authentication
In a recent blog post Alex Weinart, Microsoft's director of Identity Security, expressed an opinion that may seem a bit controversial at first glance. Weinart argued that SMS and voice-based multi-factor authentication services are the least secure option when it comes to MFA.
While we usually like to think text messages are a foolproof and very secure method of implementing multi-factor authentication, Weinart brought up a few interesting points that people generally don't consider when they think about the issue.
The points Weinart makes in his blog post all relate to the nature of SMS and voice-based MFA, and that is the involvement of publicly switched telephone networks or PSTN. According to Weinart, PSTN systems are not completely reliable 100% of the time and a message may not come through exactly when needed or be delayed.
Another thing he mentioned was that PSTN-reliant multi-factor authentication cannot keep up with technological advancements and can often fail to live up to user's expectations of the experience.
Additionally, different regional or federal-level changes in regulations may alter the ability of companies to deliver SMS and phone calls, effectively rendering a previously working MFA method inoperable or difficult to maintain.
Finally, Weinart mentions that both SMS and phone calls don't inherently have any sort of encryption and it is technically possible to intercept them using a variety of hardware and malware.
Of course, this does not mean people should stop using MFA. On the contrary, Weinart highlighted the importance of using MFA whenever possible and the security benefits it brings. However, his advice focused on using applications instead of SMS or voice-based services.
At the end of the day, the regular user can only rely on whatever MFA options a service provides for them. The decision whether to use an application or text messages is ultimately in the hands of the service provider and the customer and end user can only go with what is being offered.