Microsoft exhorts enterprises to quit text, voice multi-factor authentication passcodes

A Microsoft executive is urging enterprises to abandon the most popular multi-factor authentication (MFA) method — one-time passcodes sent to mobile devices via text or voice — for different approaches, including app authenticators, that he claims are more secure.

“It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms,” asserted Alex Weinert, director of identity security, in a Nov. 10 post to a Microsoft blog. “These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.”

Weinert argued that other MFA methods are more secure, calling out Microsoft Authenticator, his company’s app-based authenticator, and Windows Hello, the umbrella label for Microsoft’s biometrics technology, including facial recognition and fingerprint verification. It’s no coincidence that Weinert touted technologies Microsoft has aggressively pushed in its campaign to convince enterprises to go passwordless.

More than a year ago, Weinert spelled out how, in his view, passwords alone are no defense against credential theft, but that by enabling MFA, “your account is more than 99.9% less likely to be compromised.” That advice hasn’t changed, but Microsoft’s stance on MFA has now narrowed. “MFA is essential — we are discussing which MFA method to use, not whether to use MFA,” he wrote last week.

Weinert ticked off a list of security flaws in SMS- and voice-based MFA, the technique that typically sends a six-digit code to a predetermined, verified phone number. Those defects, Weinert said, ranged from a lack of encryption — texts are sent in the clear — to vulnerability to social engineering.

App-based authentication, Weinert contended, is a much more secure means to the WFA ends. He then touted Microsoft Authenticator, which comes in versions for Google’s Android and Apple’s iOS.

Authenticator boasts encrypted communication, supports facial and fingerprint recognition — letting users authenticate using those technologies when, say, their company-supplied laptops do not. Authenticator also supports one-time passcodes, duplicating the mechanism of SMS-based WFA, albeit in encrypted form from start to finish.

To some extent, Microsoft has put its policies where its mouth is. Since last year, new Office 365 and Microsoft 365 tenants have been accompanied by a set of default option settings called security defaults, which require every user to authenticate through MFA. The Microsoft Authenticator app is the default MFA method.