Microsoft is urging enterprises to move away from one-time passwords (OTPs) sent via SMS and voice calls to more secure multi-factor authentication (MFA) technologies such as app-based authenticators and security keys.
Following a blog post from Microsoft’s Director of Identity Security, Alex Weinert, enterprises are being urged to strengthen their authentication solutions by moving away from unencrypted MFA methods such as OTPs via SMS.
With SMS and voice calls transmitted in cleartext, passwords sent via these means can easily be intercepted by attackers using a variety of techniques and tools such as software-defined-radios, FEMTO cells, and SS7 intercept services.
SMS-based OTPs are also at risk of phishing via open source and readily available phishing tools like Modlishka, CredSniper, and Evilginx.
SIM swapping is an additional threat for one-time codes as attackers continue to have success in convincing phone network employees to transfer victims’ phone numbers to their own SIM cards, enabling attackers to receive one-time codes on behalf of their victims.
The technology gap is widening
Weinert emphasises that SMS and call-based MFA are the least secure methods of MFA available today and this security gap between these and other stronger methods of authentication will only continue to widen.
The strongest form of MFA is a digital identity comprising a private key issued to an end user’s secure device. This was typically a cryptographic method of authentication only reserved for the most security conscious organisations with the in-house teams and budgets available to manage such a solution but that has now changed.
Accessible Strong authentication
Strong authentication no longer requires vast budgets or in-house expertise. Today, strong authentication can involve minimal investment in additional infrastructure, it can be deployed across USB tokens or mobile devices, and it doesn’t require specialist in-house skills to manage with MyID credential management software.
PKI is often still seen as the gold standard of authentication, but with the standards-based strong authentication provided by FIDO, organizations now have more options to protect their data and systems against the number one cause of data breach – compromised user credentials
At Intercede we have developed the MyID platform to meet the challenges of enterprises with users ranging from 500 to more than 100,000 employees, supporting both PKI and FIDO and simplifying the deployment and management of strong authentication credentials across the enterprise.
If you are an organisation looking to move to a more secure way of authenticating your employees, contact us now to discuss your requirements further or to arrange a demo of the MyID software platform.