“Multi-Factor Authentication Essential, But Move Away from SMS And Voice”

Person using two-factor authentication while online banking

Multi-factor authentication (MFA) is something we have to embrace to secure our data and privacy. However, not all MFA methods are alike, warns Alex Weinert, Director of Identity Security at Microsoft. Hackers can, for example, relatively easy intercept text and voice messages. So what are better alternatives?

The Importance of Multi-Factor Authentication

Recently, a Dutch ethical hacker named Victor Gevers managed to take over President Trump’s Twitter account after guessing the president’s password: maga2020! (Make America Great Again). To his surprise two-factor authentication was disabled on Trump’s Twitter account, even when this is normally “on” by default. Once logged in, Victor Gevers could have posted messages in the name of the president or read personal messages (DMs). He reported the issue instead.

The example shows how important it is to secure your online accounts with multi-factor authentication (MFA) or two-factor authentication (2FA). Undoubtedly, MFA is an extra layer of security on top of traditional security. This is because cybercriminals not only need to have something you know (your password), to hack your account, they also need something only you should have (a 1-time access code).

However, while everyone agrees that MFA can significantly reduce the number of incidents, most people find it too much trouble or too inconvenient to secure their accounts this way. But it is worth it. Alex Weinert stated that less than 0.1% of all users who have enabled MFA have their online accounts compromised by hackers. “It is the least you can do if you are at all serious about protecting your accounts”, he said.

Not Whether but Which Method To Use

In a recent blog post by Alex Weinert, he emphasized that it is no longer a question if MFA is essential. It simply is, because even if you use a secure password, if your password is breached… it’s breached. The hacker knows your password and if you didn’t activate MFA, he has unlimited access to your account. And to every other account for which you used the same password.

However, at the same time, Alex Weinert warns users that not all MFA methods are equally secure. SMS and voice messages, for example, are based on Public Switched Telephone Networks (PSTN). Both are designed with no security or encryption in mind. “What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device. […] This is a substantial and unique vulnerability in PSTN systems that is available to determined attackers.”

SMS and voice messages are easy to retrieve via social engineering. As examples, the security experts names phishing and SIM Jacking, also known as SIM Swapping. This is when a scammer calls a telecom company, poses as the victim and asks whether his victim’s phone number can be activated on another SIM card. If they succeed, they can receive authentication codes or account password-reset links to their SIM swapped phone. The victim will not be aware until such time that he discovers his SIM card no longer works.

These Forms of MFA Are Secure

So, what are safe MFA security mechanisms to use? One solution is to rely more on biometrics, such as your fingerprint or face identification. Researchers have even developed a means of turning the unique rhythms of your heart into a password. Alex Weinert also mentioned, for example, Windows Hello. This is biometrics-based software Windows 10 users can use to secure their account with a fingerprint, iris scan or facial recognition.

Windows Hello is one of many FIDO certified authenticators. FIDO (Fast Identity Online) is the successor to One-Time Passcodes (OTP) and is based on public key encryption. This system uses pairs of keys: a public key and a private key. The user can use their private keys only after they have unlocked them locally on their device. Biometric information never leaves the user’s device. Yubico’s hardware security keys also use FIDO. Here you use a physical hardware key instead of a password to gain access to your account.

Additionally, Alex Weinert referred to Microsoft Authenticator. This is an application that generates login codes when you try to log in to, for example, Microsoft OneDrive or Twitter. These codes are constantly changing, making it impossible for hackers to take over your account. The Authenticator uses encryption to communicate with users. The Google variant is Google Authenticator. You can install the Google Authenticator app for free on both Android an iOS devices.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments. She rigorously tests the quality of VPN services using VPNOverview.com's dedicated VPN testing protocol that has been finetuned and optimized over the years.