Multi-factor authentication (MFA) or two-factor authentication (2FA) are fundamental security mechanisms. They provide a dramatically higher level of security than just using good passwords. But, according to Alex Weinert, director of identity security at Microsoft, multi-factor authentication via voice or SMS is not secure. “It’s time to start moving away from voice and SMS multi-factor authentication mechanisms,” he says.
The executive explains that these mechanisms are based on public switched telephone networks (RPTC) and there are tools that can exploit account credentials in networks of this type. “Your RPTC account has all the vulnerabilities that all other authenticators have, plus a number of other specific issues. I believe they are the least secure of the MFA methods available today”, Says the executive on the Microsoft blog.
Although phone authentication is not as secure, it is definitely more secure than having none. MFAs make the process of hacking an account very complicated, even if the criminal has access to the password.
A cybercriminal can discover your password in several ways: by guessing, stealing with malware, phishing attacks, or even taking advantage of the fact that most people use the same password for all online services. But he will hardly have access to his authenticator code.
“Multifactor authentication (MFA) is the least you can do if you are serious about protecting your accounts. Using anything other than a password significantly increases costs for attackers, which is why the account compromise rate using any type of MFA is less than 0.1% of the general population, ”says Weinert.
However, MFA by voice and SMS does not guarantee that you are safe from SIM Swap (SIM exchange), which is when a cybercriminal contacts the phone company posing as the victim and asking for a new chip (as was the case suffered by former Minister of Justice Sérgio Moro). When installing the chip in the equipment the criminal has access to the calls and text messages sent to the victim, he is also able to access the WhatsApp messaging apps without the need for a password, as well as having access to other accounts, if he has the password.
It is also important to note that when using text and voice messages to authenticate your accesses, the telephone company you use can have access to this information, if you want.
To avoid having your account stolen, even if your chip is cloned, the Microsoft executive recommends using authenticator applications, which encrypt messages sent. Therefore, we expect the authentication code to be read only by the account owners.
Source: Microsoft Blog.
See the original post at: https://thehack.com.br/e-hora-de-parar-de-usar-sms-em-autenticacao-multifator-diz-diretor-de-seguranca-da-microsoft/?rand=48873