Security News > 2020 > November > Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can't be SIM swapped

Multi-factor authentication, for those who haven't been paying attention, involves adding one or more additional access requirements to password-based authentication.

At the same time, he argues people should avoid relying on SMS messages or voice calls to handle one-time passcodes because phone-based protocols are fundamentally insecure.

Hacking techniques like SIM swapping - where a miscreant calls a mobile carrier posing as a customer to request the customer's number be ported to a different SIM card in the attacker's possession - and more sophisticated network attacks like SS7 interception have demonstrated the security shortcomings of public phone networks and the companies running them.

They found 17 had authentication policies that allowed an attacker to hijack an account with a SIM swap.

In September, security firm Check Point Research published a report describing various espionage campaigns, including the discovery of malware that sets up an Android backdoor to steal two-factor authentication codes from SMS messages.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/11/11/microsoft_mfa_warning/