Receiving a text message to your device while trying to log into your Facebook account makes it hack-proof, right?
Well, from Microsoft’s point of view, that’s not totally the case, and it is explainable.
Over the years, internet users have been made to recognize SMS-based two-factor authentication as the default security measure for their online accounts, and for obvious reasons, it has been working.
However, this method of securing your online accounts is not failsafe!
Microsoft is known for its giant strides in cybersecurity, with the release of authentication apps and the rumored password manager. If Microsoft was to have a voice, it would be through Alex Weinert, the director of Identity Security at Microsoft.
Alex Weinert urged netizens to stay away from using the traditional SMS-based two-factor authentication, which is the default protocol for most websites and apps at the moment.
While there are a couple of two-factor authentication protocols today, SMS-based authentication remains the most vulnerable and least secure method.
According to Alex, authenticating via SMS is not adaptable, and cannot be updated to reflect new hacking strategies, unlike software-based methods. While it stays largely the same, hackers can learn ways to bypass it and take over user accounts.
Also, he explained that two-factor authentication and phone calls can be intercepted, as they’re transmitted “in the clear”. Although this isn’t as easy as it looks on paper, determination and careful targeting are all a hacker needs to carry out this act.
“Sadly, customer support agents are vulnerable to charm, coercion, bribery, or extortion. If these social engineering efforts succeed, customer support can provide access to the SMS or voice channel.” Alex Weinert explained in the write-up.
He also touched on the slow speeds at which some 2FA codes are transmitted, and how it impacts users’ access to their online accounts. According to the blog post, SMS delivery rates can be as low as 50% in some regions, and if all SMS are 2FA codes, half the populace will face issues accessing their online accounts!
While recommending alternatives for SMS-based two-factor authentication, Alex Weinert recommended Microsoft Authenticator. However, the advancement of technology has brought about some even more secure options.
Google Duo is another secure app you can use to authenticate your online accounts. If you want even more security, you might want to consider using one of the hardware options; Ubikey is one of the best in this. Just stick the USB disk in your computer, and you’re logged in.
Nevertheless, be aware that it’s better to utilize the SMS-based two-factor authentication system than to have none. While it might be more error-prone, it is certainly decades better than just typing in your password and expecting 100% security.
Why would you even want to continue with SMS-based two-factor authentication, when there are tons of free apps that offer better security?