- SMS and voice for multifactor authentication (MFA) are unreliable secondary methods of authentication, said Alex Weinert, director of identity security at Microsoft, in a blog post last week. Weinert supports widespread use of MFA beyond just passwords, citing major gaps in compromise rate.
- Weinert, who previously warned passwords were losing relevance, issued a call to develop more secure methods of confirming identity or lean on app-based alternatives. SMS and voice are based on publicly switched telephone networks (PSTN), that are the least secure options for MFA, Weinert said.
"These mechanisms are based on publicly switched telephone networks and I believe they're the least secure of the MFA methods available today," Weinert wrote in the blog post. "That gap will only widen as MFA adoption increases attackers' interest in breaking these methods and purpose built authenticators extend their security and usability advantages."
Passwords and authentication dictate system access, yet their management has remained a pain for enterprises. While MFA adds additional layers of defense, easily-exploitable second factors can mean even the most secure password are vulnerable.
SMS and voice protocols were developed they were designed without encryption, Weinert said. From a practical standpoint, organizations can't overlay encryption on top of SMS and voice or users would not be able to read them.
While Weinert is urging a move away from SMS and voice, he still strongly advocates for the use of MFA adoption to enhance security. Adding protection beyond the password raises the costs for attackers and the compromise rate for users using any type of MFA is less than 0.1% of the general population, he said.
There has been a massive shift in recent years toward using mobile devices as the best option to confirm identity, Robb Reck, CISO at Ping Identity, said in an email.
"As we become more attached to our phones, these devices offer one of the strongest ways of proving who we really are," Reck said. "Utilizing an app (vs. voice, SMS or the mobile device's browser) provides the convenience of push notifications, along with a customized experience that users are comfortable with."
Many parts of the world and significant demographic populations in the U.S. have not reached critical mass in the use of smartphones to completely rely on app use and eliminate the need for passwords, he said.
"As we help those groups increase their adoption of smartphones, we will eventually reach a tipping point where we can make this switch," he said. "The benefits of hitting the tipping point are plentiful. We get improved security, the ability to implement truly passwordless flows based on user behavior and risk, and increased user engagement."