Multi-Factor Authentication is Evolving

Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) are extra layers of security on top of a username and password. We covered the topic in a Back-to-Basics post you can read Here.

This month, Microsoft’s director of Identity Security, Alex Weirnert, urged users to move away from SMS (text message) based authentication. We have been following the issues with text message based authentication for over a year now. Microsoft is the first to come out and discourage its use as a method of authentication.

Weirnert lists several reasons behind the announcement. The most important issue is SMS messages are transmitted “in the clear,” which means they can be intercepted by hackers. Another issue Weirnert lists is SMS authentication is not software based, and therefore, not adaptable as technology evolves.

Text based authentication is also susceptible to social engineering. Criminals have been known to contact cell phone providers and convince customer service agent to send them a replacement SIM card that belongs to someone else. In these cases the hacker is targeting a specific person and has personal information on the target of the attack.

Better authentication tools are app-based solutions or hardware security keys. An authentication app creates a new pass-code every 15-30 seconds and is less susceptible to social engineering. Microsoft and Google both have app-based authentication tools.

At Quanexus, we also strongly discourage the use of email as an authentication method. With the proliferation of business email compromises (BEC) on the rise, it is easy for a criminal to intercept your email and gain access to your accounts.

What this Means for You

Many services and applications only offer SMS based 2FA. Any extra step beyond simply a username and password can be more secure. Continue to use the 2FA and MFA services available to you. Now that Microsoft has taken the lead with this announcement, we expect more services to start offering application-based authentication, but most businesses are not there yet.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright