back to article Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can't be SIM swapped

Microsoft on Tuesday advised internet users to embrace multi-factor authentication (MFA)... except where public switched telephone networks are involved. Multi-factor authentication, for those who haven't been paying attention, involves adding one or more additional access requirements to password-based authentication. So an …

  1. Version 1.0 Silver badge
    Meh

    Mother FA

    The only secure method is not to have on-line access, if you do have an on-line account then don't use Maga2020 as the password - use a real password. Maybe this new method will work but it's just an app and apps get hacked, MFA doesn't stop hacking, it just slows it down.

    1. TeeCee Gold badge

      Re: Mother FA

      I would suggest that if you are the sort of target where it's worth some organisation's time, effort and resources to aquire your user information, password and bypass MFA then yes, you really mustn't have on-line access.

      For the vast majority, there's no need to be quite that paranoid.

      1. CAPS LOCK

        "For the vast majority, there's no need to be quite that paranoid." El Rego is no place...

        ...for common sense. Go to your room and think about what you've done.

    2. That 8 Bit Guy
      Joke

      Re: Mother FA

      I've been using 123 456 on my luggage for 10 years and the TSA still hasn't been able to get access. I always put some sticky tape to check.

      So remember to use an easy password and put some sticky tape on your phone.

      Simples.

      (I have a new lock code sorry TSA.)

  2. mark l 2 Silver badge

    Paypal has just brought in the mandatory 2FA so you have to register your mobile number with them so they can send an SMS to verify your purchases. They don't offer you the option to use a landline and its a pain the the arse to be honest because I often purchase several times per day using Paypal and don't get a mobile signal in my office so have to keep going outside to get the SMS to input into Paypal.

    I have set it to remember my device but that box doesn't seem to make any difference to the amount of times I am forced wait for an SMS to be received.

    1. Anonymous Coward
      Anonymous Coward

      There are a few of us who quite deliberately do not have a mobile at all. Even those who participated in setting the VoIP standards.

      My time is my own when I'm out and about, not to be interrupted by any moron who can find my number and wants to interrupt me for their entertainment.

      I demand the freedom to not spend money on some provider. Worst of all, it's not an amount, it's rent and various security exposures as pointed out.

      I guess those companies who assume we all fell for that rent-seeking will have to do without my business.

      1. Aleph0
        Meh

        All well and good until you're the one that needs to make a call.

        My dad has a similar attitude as yours; a couple of years ago while he was doing odd jobs alone he had a nasty accident that left him unable to reach somewhere with people, and it took us until his expected return time to realize that something had happened and rush him to the hospital; suffice it to say, he nearly lost his leg for the delay in treating the injury. If only he had had a mobile phone about him...

        You'd think he'd learnt his lesson but no, he still goes around without a phone (but with a limp now). He says at 80 he isn't about to change his habits.

        1. Dwarf

          @alepho

          I guess that ultimately it’s his choice.

          He might be right, he might be stubborn, he might be wrong, he might have looked at the odds and said it probably won’t happen again.

          People have existed for a long time without mobile comms and I think we all know people who share your dads viewpoint and I’d guess that many are from the same age group.

          1. Tomato42
            Boffin

            just like miscarriages for women aren't independent statistical events, accidents aren't either

          2. Anonymous Coward
            Anonymous Coward

            People have existed for a long time without mobile comms...

            And some people ceased to exist because they didn't have mobile comms available. On the whole I'd argue it's better to have something and not need it than the alternative.

        2. Anonymous Coward
          Unhappy

          My dad has a similar attitude as yours; a couple of years ago while he was doing odd jobs alone he had a nasty accident that left him unable to reach somewhere with people, .... If only he had had a mobile phone about him...

          DECT handset is more useful if always at home. Mobile phone "for emergencies" needs you to constantly:

          - keep it charged

          - keep it on you

          - Make a call on it every 2.5 months to prevent number reassignment if pay as you go

          - Pay phone company every month for something you don't use

          1. Peter2 Silver badge

            Really?

            I've been using my pay as you go number since around about 2002, and I most certainly haven't made a call every 2.5 months. There are times when it's been turned off for more than that; an old fashioned nokia will last a good 3 weeks while turned on, and at least double that when nominally turned off.

            1. That 8 Bit Guy
              Joke

              I totally agree. I have an old CDMA phone and nobody calls me on it.

            2. JohnGrantNineTiles

              I hadn't used my PAYG phone since lockdown in March and it stopped working in September, after 6 months. Fortunately I noticed soon after, and they reconnected it. You don't get an e-mail or text or anything to warn you.

      2. Hubert Cumberdale

        I'm sort of with you, ish. Phones are just mobile these days – landlines will one day soon be a relic, and you can switch of a mobile if you're that bothered. However, more and more things are assuming that I have a smartphone now... I've chosen to stick with a basic £15 phone for the last two years, and I haven't regretted it.

        Occasionally, though, a company will just assume everyone has one, despite about 14% of the population being hold-outs like me. Like the other day, when I went to pick up my new coffee machine from $WEIRDLYAWELLKNOWNRETAILEROFPCS and on arrival they wanted me to scan a QR code and click on a link. I handed them a printout of my order confirmation and told them I'm sure they could figure it out, which thankfully they did. I think this is going to gradually get worse, though.

        1. find users who cut cat tail

          > landlines will one day soon be a relic

          Landlines are how you make a call to a specific place, and they have always been. If I call for example the grant office, the phone will ring there, will be answered by someone from the grant office, and that is the point. You are right that landlines may be someday replaced anyway – by immobile mobile phones.

      3. NeilPost Silver badge

        You could always have a small (dumbphone) Mobile for emergency purposes and not switch it on. Keep it in you handbag/man bag or car. Perhaps if you are late for something and need to call ahead.

        I can’t see why anyone would want to call you for entertainment purposes though.

        1. Andy Non Silver badge

          My wife (in her 80's) has a dumb Dorro phone. It has an emergency button on the back you push and hold to call a number of your choice. It has earned its keep a couple of times now when she's had a fall.

          1. Captain Obvious
            Joke

            Macron

            Is that you? :)

        2. Cynic_999

          "

          I can’t see why anyone would want to call you for entertainment purposes though

          "

          Have you never had calls asking about your recent accident, or enquiring as to whether you would like to buy a conservatory or might be due some compensation for something?

          1. Stork Silver badge

            not quite

            But plenty of dubious investments and agencies that want to supply clients to our business.

            One said (in Indian accent) that he phoned from Copenhagen, I changed to Danish. For another I recited Monty Python's Hungarian dictionary scetch, I do not thing any of the responses were covered by the script.

    2. Cassandr@

      PayPal offers the use of an authenticator app as an alternative to SMS.

      1. Franco

        They do indeed, I use Microsoft's app as I had it anyway for both personal email and Office 365 business email. Only small drawback is that you have to put in the 6 digit code rather than approving the sign-in via a toast notification, unless I just set it up incorrectly.

    3. xyz Silver badge

      Lol...

      I'm still locked out of my PayPal account because they have a phone number I gave up years ago. Online chat doesn't help because their get-a-round still tries to send a code to my old mobile. They're going to phone me, unfortunately there is no mobile signal where I live and I don't really want to be hanging around a street corner for 48 hours waiting for them to call.

      1. sgp

        Re: Lol...

        Paypal was quite useful back in the day but I don't see any use for it anymore. I deleted my account last year and haven't yet encountered a situation in which I missed it.

        1. sabroni Silver badge

          Re: but I don't see any use for it anymore.

          It's for when you want to buy something with your credit card but don't trust the vendor with your card details. I thought that has always been the reason for using it.

          What changed for you last year? Did your credit card number become public knowledge?

          1. heyrick Silver badge

            Re: but I don't see any use for it anymore.

            Perhaps his bank caught up with the times and started to offer a virtual card service?

            I've always used that with PayPal in the past, no way they're having real card details. However they do get a bit sulky if five purchases use five different credit cards...

          2. ben kendim

            Re: but I don't see any use for it anymore.

            Bank of America had a feature that generated a new credit card number for use in online purchasers. It was good for a single merchant, you could set the monthly credit limit, you could set the expiration date, and the charges would appear in your regular credit card. Best thing ever! I used it, and never had need for PayPal, or any other payment processor.

            Why BoA took it away last year, I'll never know...

            1. Anonymous Coward
              Anonymous Coward

              Re: but I don't see any use for it anymore.

              Citi has that feature. I've used it for an add-on purchase on a mobile app - set up new card number with expiration of next month and credit limit $1 more than the app would charge, make payment, then cancel the temporary number. Quick and easy.

        2. Franco

          Re: Lol...

          I like it for online checkout, means not having to create accounts that will mean getting spammed.

    4. Missing Semicolon Silver badge

      Paypal 2FA

      Paypal used to hand out secure key generator fobs and cards. Now they are trying really hard to get rid of them, and rely on SMS only!

      1. Anonymous Coward
        Anonymous Coward

        Re: Paypal 2FA

        No, you can use various apps, such as google authenticator or Authy

    5. steviebuk Silver badge

      I was also going to moan about PayPal. Considering they handle money, you'd expect them to have other options other than SMS 2FA but they don't.

      1. Ste ve

        I will rarely defend Paypal, but they do actually have other 2FA methods, such as an authenticator and will use all the usual suspects.

    6. Steve Lloyd

      I've set up my Paypal to use Authy. A much better option.I can't get the click box to work either though.

    7. Lee D Silver badge

      I use Google Authenticator on Paypal (you don't need to be scared of the Google name... it's just a standard that dozens of other authenticators can use without Google involvement).

      Hence no SMS whatsoever, but Paypal accepts as a 2FA. I just type in the code off my phone (so long as the clocks are vaguely correct, the code will work offline too).

      Dozens of services I know use TOTP via Google Authenticator or similar. Only two I know of use SMS (and they have options for TOTP). And the only SMS I get are for notification purposes, really, not requesting auth.

      And I don't even have a landline, and hate text messages, so I'd know if all of a sudden Paypal had "made" you use SMS... just use the TOTP option instead of SMS.

      And if you use the right app, you can copy the TOTP seed settings to other devices so you have a backup (Google Authenticator added this only recently, but it means all of my devices can generate the same TOTP code for all my accounts, and be backed up in case I lose the phone).

    8. Ian Johnston Silver badge

      Which is great for those of who live, as I do, a mile and a half away from the nearest mobile signal.

    9. Cynic_999

      At least you can get the SMS by just stepping outside the office. How about the people who don't have any cell coverage in their location at all?

      When I am in a different country, 2FA is a real PITA, because messages to my UK number may not be forwarded to that country (or can be delayed by a long time). Even if SMS to a UK cell is forwarded to that country promptly, I usually swap my UK SIM for a local SIM so that I am not paying exorbitant rates for data while in that country. So I have to swap the SIM back just to get the code, or jump through hoops in advance to temporarily change the number of the 2FA (which usually requires 2FA to achieve!)

      Using an email address for 2FA is far more preferable in those situations.

      Better yet is the system my bank uses of having a handheld device that reads my bank card to give me a code after I have entered its PIN.

      1. Stork Silver badge

        Dual SIM phone?

        Plenty of them about

  3. Yet Another Hierachial Anonynmous Coward

    OMG !

    Something sensible from Microsoft... Whatever next. Then i read the last couple of paragraphs. Sales pitch for a Microsoft app, that runs on a mobile phone of all things.

    I am fed up with the number of arguments I have had with the likes of banks, councils, governments departments, etc., who insist on using things like SMS texts to provide 2FA/MFA. I've even had written correspondence with their "security" teams pointing out this is not secure and only gives rise to new scams like phone theft, sim hi-jacking, etc. But they don't care and can't be arsed to think. As far as they are concerned it is the sloppiest, easiest option for them to take in order to claim they have secure systems. They can then turn round and say it must be the customers fault when something goes wrong.

    Also, I utterly object to providing organisations like the above with any more than the most basic of information - my mobile phone number is mine. It is private, for my use. Not for their slurping and use.

    /rant

    1. ibmalone

      Re: OMG !

      What baffles me is my bank used to have a card-reader based 2FA and then changed it for SMS. Was pretty astonished to learn how common SIM swapping is, there's apparently a pretty thriving industry.

      1. Yet Another Anonymous coward Silver badge

        Re: OMG !

        Hardware costs money

        Logins to our development system now use an RSA app instead of the little RSA keyfob thingy

        Of course logins to all our Microsoft products need the Microsoft authenticator app

        1. brotherelf

          Re: OMG !

          Software costs money, too. (My "favourite" example is a purveyor of fine almost-never-breachable(tm) VPN solutions, a veritable fortiress of data security, who is very proud that they support RFC-complaint *OTP. Well yes, but the way to import the shared secrets is dongled to hell and back, so they still get to charge you money for nothing and you can't bring your own *OTP app.)

          That being said, as with everything else in security, it's a tradeoff consideration. Would my elreg account warrant authentication by blood sample? Hardly. Can you afford to lose all customers who can't/won't use smartphones? Along with all using smartphones (authenticator and service app on the same device weakens security)? What's your fallback to re-authenticate when the 2nd factor is lost? If it involves a phone line, you've gained nothing. If it involves postal mail or physical presence, it will be slow.

        2. Dan 55 Silver badge

          Re: OMG !

          You can specify you want to use an alternative 2FA app, it's buried somewhere in your Office account settings.

          Unless your BOFH has a policy which disables that of course.

  4. sanmigueelbeer
    Thumb Up

    Password + Token

    Password + Token -- Just sayin'.

  5. IceC0ld

    all the options posited here, will, of course be looked at in depth, given due diligence, and the option selected shall then be announced ...................

    Don't hold your breath for something new, the winner IS / WILL BE ................................. the cheapest to setup, and the easiest to implement :o)

    1. Yet Another Anonymous coward Silver badge

      On Microoft+office stuff - it's the MSFT authenticator app - even seems to work on people's fruit based podcast playing devices

  6. streaky

    U2F

    U2F

    U2F

    U2F

    Also U2F.

    Not difficult.

    1. Pascal Monett Silver badge

      Re: U2F

      Interesting project, but at the moment it only works on Chrome.

      Sorry, I do not see how my privacy and security are improved by using the biggest slurp browser that exists.

      1. David Nash Silver badge

        Re: U2F

        First time I've heard of it but the Wikipedia page for U2F suggests otherwise.

      2. Crypto Monad Silver badge

        Re: U2F

        U2F indeed originated in Google, but it was explicitly designed *not* to be trackable. You can have a husband and wife sharing the same U2F key, logging into the same service on the same device, and the service cannot tell whether or not it is the same U2F key being used. It's a neat design.

        The main problem with U2F, or indeed any type of 2FA, is what happens when your 2FA device is lost or breaks - assuming you weren't smart enough to enrol a spare one (which many services don't allow you to do anyway), or to print and safely store some recovery codes.

        If you can recover simply by getting a reset link sent to your E-mail, then the security of your mailbox is the limiting factor. In some cases, it's only as secure as a few easy-to-guess questions about your your favourite food or your first school.

        1. Down not across

          Re: U2F

          it's only as secure as a few easy-to-guess questions about your your favourite food or your first school.

          You don't actually give real answers for those?

        2. streaky

          Re: U2F

          I usually register 3 keys, one on my keyring, one sits in a fire and water resistant lockbox and the other normally stays at my parents' house. Having just one key is nuts, you're absolutely right. If you can backdoor it using email or sms or something then there's no point in it - most services that support it offer recovery codes, which is a little questionable but I keep them in a password vault that supports secure notes, although that is secured by.. U2F so probably not practical :)

          My biggest issue I'm having with U2F (which should be *universally* supported by now, it not being by banks, Paypal et al is criminally negligent) is dumbass companies who support U2F and *then* force you to click an email link or something after, so dumb..

      3. streaky

        Re: U2F

        "Interesting project, but at the moment it only works on Chrome."

        Incorrect.

  7. JBowler

    Password managers aren't 2FA

    They just allow me to use BHTG (B Hard To Guess) passwords, well, impossible to guess and impossible to even see given that they aren't even typed in (stupid dots or not).

    2FA does work with password managers and it doesn't matter that it is insecure because all it is verifying, given a strong password, is that the user of the password is in possession of the device with the password on it. So it's not enough to compromise the password; the attacker has to also compromise the device. Someone who wants to do this can do so via a simple physical attack, or being the UK police and simply asking, nicely of course.

  8. cbars Bronze badge

    Errrr

    This is the perfect being the enemy of the good, again.

    "You shouldn't use MFA because of SIM swapping"? That is stupid. Instead of being vulnerable to every single device on the Internet, you're now vulnerable to a small sub set of that, and require people to speak to people which is more risky, requires more skills and is overall, obviously, a more secure position.

    "You shouldn't wear a bullet proof vest, soldier, someone can just shoot you in the head"

    Fucks sake.

    1. Dan 55 Silver badge

      Re: Errrr

      If someone is going to implement MFA on their online service, what's the advantage in choosing the worst option out of all of them?

      1. NeilPost Silver badge

        Re: Errrr

        Though despite having Authenticator Microsoft still offer SMS and call your phone options....!!!

        1. A Non e-mouse Silver badge

          Re: Errrr

          In your Office 365 environment you can select what types of 2FA the use is allowed to use.

      2. sabroni Silver badge

        Re: what's the advantage in choosing the worst option out of all of them

        90% take up compared to 5%?

        Doesn't matter how secure you're system is if people can't be arsed to use it.

      3. cbars Bronze badge

        Re: Errrr

        That is *such* a weird argument. If you're going to buy something, sure there are varying degrees of quality and price point, but either you have the thing or you dont. For example, a toaster. Having toast from a 'bad' toaster is still toast, even though the toaster doesn't have the top of the range functionality. The advantage is toast, or in this case, having MFA vs no MFA.

        1. Dan 55 Silver badge

          Re: Errrr

          We're talking about the company selling the toaster, not the customer buying the toaster.

          SMS wouldn't even be the cheapest option for the company either, there's the recurring cost of sending text messages.

          So it's the least secure most expensive option. There's nothing to recommend it.

          1. sabroni Silver badge

            Re: So it's the least secure most expensive option

            No, the cheapest option is single factor, just a password.

            You can implement authy or a dongle but you won't get many of your customers to use it.

            You can use sms for 2fa and be far more secure than password alone.

            The system needs to work in the real world not prove a theory in a thesis.

            1. Dan 55 Silver badge

              Re: So it's the least secure most expensive option

              Authentication apps do work in the real world. Even more so than SMS, you don't need coverage.

              1. Down not across

                Re: So it's the least secure most expensive option

                Insecure as SMS might be, it is still an improvement over SFA and has the benefit that it will work even with "dumb" phone and doesn't require much technical understanding from the end user either.

                Of course authentication application is better choice being more secure, and yes often crucially working without mobile signal as long as clock is reasonably correct etc.

          2. cbars Bronze badge

            Re: Errrr

            @Dan 55

            I'm talking about someone from the toaster selling company telling people not to use a toaster.

            You're talking about what you think would be an appropriate design choice, and your argument is MS shouldn't offer SMS MFA, because its not the best. This would either leave a whole class of people who don't have smart phones with just passwords or outside MS products. Both of those are worse for MS than implementing the 'good' and the 'best', and allowing people to use 'good but expensive' over nothing.

            So.... I would recommend SMS MFA over nothing, and I'd recommend supporting multiple MFA implementations if you can afford it.

            Dnt b mean 2 txt msgs dey r gr8 4 sum

  9. Dan 55 Silver badge
    Linux

    "alternatives, like Twilio's Authy, Cisco's Duo Mobile, Google Authenticator"

    Or, indeed, an open source solution where you are in control.

    1. sabroni Silver badge
      Windows

      Re: Or, indeed, an open source solution where you are in control.

      Might be a little more convincing if you could actually name one.....

      1. Anonymous Coward
        Anonymous Coward

        Re: Or, indeed, an open source solution where you are in control.

        "Might be a little more convincing if you could actually name one....."

        FreeOTP.

        There you go, no need to thank me

        1. sabroni Silver badge

          Re: no need to thank me

          Ok.

      2. Dan 55 Silver badge

        Re: Or, indeed, an open source solution where you are in control.

        FreeOTP, FreeOTP+, andOTP, Aegis Authenticator... all on FDroid and have been updated recently.

        1. hoola Silver badge

          Re: Or, indeed, an open source solution where you are in control.

          For large organisation most will already have stuff with Microsoft so adding the MFA app is very easy and for many not extra cost. Not having to muck about distributing hard tokens makes that even easier. Managers can then tick a box to say they are using 2FA.

          If you are already using one of the original products like RSA then before long I can the on-prem appliances going. The only offering will be in the cloud using the app and the physical tokens will be a thing of the past. RSA in particular don't seem to get the plot that just because you where the industry standard does not mean that will continue in perpetuity. We are moving away from RSA to MS because of the costs and as we are only using soft tokens now there appears to be no advantage. An app-based token is just that, as long as there is a plugin or SAML support pretty much anything will do the job.

          Open source may put you "in control" or be free however many enterprises will stubbornly go down the commercial route to get the support and SLAs they want. We have had endless issues where some very clever people have put together systems based on open source tools then left. No matter how good the documentation is you can end up screwed because those left behind or new staff taken on simply don't understand what has been done. The solution may have been brilliant and hugely cost effective at the time but in then end comes to bite you on the arse. Open source has its place and there are some great solutions but just screaming "use open source" at every opportunity does not help. As ever with these things the decision makers remember what went wrong, not the things that are trouble-free.

          1. Dan 55 Silver badge

            Re: Or, indeed, an open source solution where you are in control.

            It's installing an app from the app store, you either get one and use it or get another and use that. There's little to choose from between authenticator apps, there's no worthwhile support that MS can offer for their own app as it either works or it doesn't and if it doesn't then it's probably something else wrong on the phone anyway, the experience of authenticator apps is practically the same no matter which one you choose, the only difference is open source ones generally export to an open format.

            But yes, we have the corporate mindset that is scared of something because it's not from MS. Presumably if something is not an albatross around your neck then it doesn't exist.

  10. Confuciousmobil

    When you request a PAC it is sent to your phone so I don’t understand how someone else could request one without you knowing?

    At least, that’s how it works in any civilised country.

    1. A Non e-mouse Silver badge

      A PAC is used when you're swapping carrier. To change to a new SIM with the same carrier doesn't involve a PAC. It just requires you to smooth talk the under-paid call center person that you are the genuine user and here's a spare SIM card you have lying around.

      1. FlamingDeath Silver badge

        Or in the case of dumb fucking companies, they think this PAC mechanism is intended to move numbers between accounts owned by 2 different parties, Errrr no

        Of course these overinflated shitbags cant see the ramifications of their stupid managerial decisions

      2. Roland6 Silver badge

        So a targeted social engineering attack that enables the spoofing of a genuine SIM, not an actual attack on the SMS service...

        How about a working example of an SMS attack that can intercept the SMS from MS to my phone which provides sufficient information for someone to access my MS account - last time I received an SMS from MS it didn't contain my MS Account username...

        1. A Non e-mouse Silver badge

          That's the SS7 type attack where routing messages are injected into the phone network.

  11. Anonymous Coward
    Anonymous Coward

    Usability

    There used to be no way to move Authenticator (on Android) from one device to another without re-regging all the accounts within. So I used to only use Authenticator for my top ten-ish most sensitive accounts, and SMS for the others.

    Fortunately that is fixed now and you can just transfer them using QR codes.

    Of course, it's possible that this feature existed previously and I wasn't aware of it. Human ignorance is unbounded.

    1. NeilPost Silver badge

      Re: Usability

      It’s similar shit on loads of things, usability/common-sense fails- HSBC Digital Secure Code, Apple Pay, crap when you add a finger print, crap when something just needs reset as locked out, Clumsy things on Apps when Card Expire (Tesco Bank still ... after 5 years FFS!!).

    2. Dan 55 Silver badge

      Re: Usability

      FreeOTP+ allows export/import to/from a json file.

      1. poglad

        Re: Usability

        Well that sounds really secure...

        1. Dan 55 Silver badge

          Re: Usability

          You can encrypt and store your exported file with your other backups.

          Your phone's storage is encrypted and has a PIN lock/fingerprint. If someone steals it they'd have to get past that and if they do you'd have problems anyway. If you're bothered about security you probably have some kind of find my phone/remote wipe set up.

          On the other hand if I don't have a backup of my 2FA keys and have several accounts, and I lose my phone or it dies or something, it's fucking annoying trying to get back in control.

          Part of security is availability.

          1. Handy Plough

            Re: Usability

            In this case I'd argue that portability is convenience, not availability. Don't forget, along with availability is confidentiality and integrity. Arguably being able to export JSON, even if you can encrypt it, breaks both those to some degree. At some point portability is not secure in this case, hence MFA over SMS being a bad thing.

  12. Grease Monkey Silver badge

    But microsoft themselves seem to offer SMS as a major for MFA.

    A physical token is the best solution for MFA. I've come across the use of apps such as duo for MFA, but the problem here is that so many people access services and content from their phones. So putting an app on your phone isn't all that secure. If somebody has your phone and manages to get past the lock screen then they also have access to your "token". Of course people tend to save their passwords for every app and website on their phone for easy access, it's not sensible but it's what folks do. As such if somebody has access to your phone is 0FA not 2FA that you're looking at. The username and password is already stored and it doesn't matter whether you use an app or SMS access to your online life is only a click away.

    A separate token may be old school, but just so long as you don't glue it to the back of your phone it should be more secure.

    But how many factors is multi factor anyway? If you use biometrics to unlock your device. Then there's a username and password (as long as you don't store them), then there's your SMS/token/app.

    The problem is that they are all easy to crack. For example most devices that use biometrics for access have some sort of fallback for when the biometrics won't work. Your fingerprint may be pretty secure, but if your fallback is a four digit PIN then your device is no more secure than if it just had the PIN. You've saved all your usernames and passwords? You don't say.

    1. IGotOut Silver badge

      So a separate token with no security (think dropped or stolen) is better than a phone with quite good security?.

      Okaaayyyy.

    2. Anonymous Coward
      Anonymous Coward

      But microsoft themselves seem to offer SMS as a major for MFA.

      To allow me access to moderately sensitive things at work, MS phone my home number. Which I ported to VOIP a year ago and can access from any device, anywhere as long as I know the password. Why not just ask me for a second password?

      A separate token may be old school, but just so long as you don't glue it to the back of your phone it should be more secure.

      We used to have Cisco VPN which used a card with an array of characters on it. Like every single one of my colleagues, I had a scan of my card on Dropbox. It's us against the IT department and there are more of us than there are of them.

      1. Roland6 Silver badge

        >MS phone my home number. Which I ported to VOIP a year ago and can access from any device, anywhere as long as I know the password. Why not just ask me for a second password?

        Seems that what you've got is more secure(*) than a second password, which would naturally have to reside on an MS system (probably the same system as the first password, the answers to your security questions and your address/contact details) and hence available to a third-party to download etc.

        (*) It bears comparison to a public key (your VOIP phone number) and private key (your password).

      2. Crypto Monad Silver badge

        > Why not just ask me for a second password?

        When Microsoft phones on your registered number, you prove that you have access to the SIP account. But you do not send your SIP password to Microsoft, and Microsoft is not responsible for either storing or verifying it. That's the key difference.

  13. genghis_uk
    Windows

    Ironic

    I am only reading this because I was logging on to my Microsoft account and needed my phone to receive the 2FA SMS code...

    While I was waiting I thought I would check out the latest Reg news.

  14. Nick Ryan Silver badge
    Stop

    More clueless "password replacements"...

    His answer: Microsoft Authenticator, a mobile app for Android and iOS that allows users to login using a fingerprint, face recognition, or a PIN in lieu of a password and with an OTP for accounts that support that standard.
    Oh FFS, the idiocy never stops, and this from someone at Microsoft who pretends through his job title to have a clue. Fingerprint and face recognition are NOT replacements for a password. They can replace or enhance an identifier, as in a user name or ID, but never a password. It is not feasible to change your fingerprints or face, or to keep them secret from others therefore they can never be a replacement to a secret component of any form of authentication.

    1. Crypto Monad Silver badge

      Re: More clueless "password replacements"...

      > Fingerprint and face recognition ... can never be a replacement to a secret component of any form of authentication.

      They are never used in such a way, so you don't need to worry.

      Generally(*) what happens is: there is a private key stored in a secure enclave in your device. The corresponding public key is registered on a remote service, which grants access to the user holding the matching private key.

      At login time, the secure enclave will not perform an authentication operation using the private key unless you can first convince it that you are you - which might be via a PIN, or a fingerprint, or a facial recognition. Those things never leave the device, and are never stored on or verified by the remote service.

      From the point of view of the remote service, the user is logging in using a private key only. From the point of view of the local user, they are logging in "using a fingerprint, face recognition, or a PIN" as Microsoft says. But in reality, they couldn't login with *just* those things; they also need the device which contains the private key.

      (*) For example, look at FIDO2 specifications

      1. Roland6 Silver badge

        Re: More clueless "password replacements"...

        But in reality, they couldn't login with *just* those things; they also need the device which contains the private key.

        And therein lies the problem: lose the device - a relatively common occurrence, and how do you regain access?

      2. Nick Ryan Silver badge

        Re: More clueless "password replacements"...

        At login time, the secure enclave will not perform an authentication operation using the private key unless you can first convince it that you are you - which might be via a PIN, or a fingerprint, or a facial recognition. Those things never leave the device, and are never stored on or verified by the remote service.

        From the point of view of the remote service, the user is logging in using a private key only. From the point of view of the local user, they are logging in "using a fingerprint, face recognition, or a PIN" as Microsoft says. But in reality, they couldn't login with *just* those things; they also need the device which contains the private key.

        You're missing the point. In order to unlock the agreed "secret" for use later, a user is unlocking using a non-secret authentication component. In other words, what was secure is no longer secure.

        Consider this:

        There is a steel door with a very secure lock securing it (the kind that "the lockpicking lawyer" would take more than a minute or two to open). The key for this very secure door is stored in a safe. The safe has a secure permutation (often mis-named a combination) code securing it. This code cannot be changed. The code is written down on a sheet of paper that's hung on the wall near the safe.

        In effect how secure is this steel door? The lock itself is still a solid and very secure lock, ufortunately the key is not therefore the door is not secure.

  15. Bitsminer Silver badge

    What's the worst-case scenario?

    "...I believe they’re the least secure of the MFA methods available today," said Weinert.

    Which is why the US Government uses it. To authenticate me for web-based updates for a fast-track border crossing smartcard (with RFID) that arrives in an RF-proof carrying case. The card is smart, and I like to think that I am smart, but, you know.....the rest isn't so easy to believe.

  16. Anonymous Coward
    Anonymous Coward

    Non compatible with regulation

    Of course Microsoft isn't looking at the requirements beyond their own nose and major markets but those in the comments referring to Bank use of SMS, need to be aware of PSD2 SCA (secure customer authentication).

    Essentially it mandates that your MFA is dynamically linked to the transaction and until Microsoft, Google and other authenticators can provide that rich context and linkage, Banks cannot use it.

    Most are trying to move to app based authentication but Microsoft paint too simple a picture here and given a choice of SMS based MFA or no MFA it's a simple answer as far as I am concerned.

    Let's not forget the enrolment challenge too, how do you securely get the authenticator set up, because that presents challenge to that Banking environment.

    1. Dan 55 Silver badge

      Re: Non compatible with regulation

      Banks are dropping card readers and handwaving the "rich context and linkage" into SMS 2FA, so they've decided they can put up with the fraud.

      Authenticator apps are probably less susceptible to fraud than SMS because there's no way someone can use SIM swapping to get control of them. With SMS 2FA, if someone wants to target you to empty your account the only thing between them and you is a call centre drone.

      1. Anonymous Coward
        Anonymous Coward

        Re: Non compatible with regulation

        "With SMS 2FA, if someone wants to target you to empty your account the only thing between them and you is a call centre drone."

        Patentable BS. They'd need my user id and password also. Those aren't on the phone.

        Now tell us what the call center drone *can* do?

        1. Dan 55 Silver badge

          Re: Non compatible with regulation

          Patentable BS. They'd need my user id and password also. Those aren't on the phone.

          Should have explained a bit more. They would use the call centre drone to get round the authentication factor. This can't be done with e.g. a card reader or security key or even an authentication app (clue: SIM swap or take the SIM out one phone, put it in another).

          Now tell us what the call center drone *can* do?

          In one call you can change your address. In other call you can get a new SIM sent out. If you think you're clever enough you can do both in one call.

          Here's the FTC saying that SMS is not suitable if "you're concerned about SIM card swapping" and you should use an authentication app or a security key.

      2. Anonymous Coward
        Anonymous Coward

        Re: Non compatible with regulation

        Authenticator apps are probably less susceptible to fraud than SMS because there's no way someone can use SIM swapping to get control of them.

        To set up MS Authenticator, all I needed was a live connection on the phone number my employer has registered for me. Any phone using that number for set-up could subsequently authorise anything over any old wifi. If sending an SMS message for each transaction is insecure, how about sending one SMS message which effectively authorises all future transactions?

        1. Dan 55 Silver badge

          Re: Non compatible with regulation

          If sending an SMS message for each transaction is insecure, how about sending one SMS message which effectively authorises all future transactions?

          You would have to actually use the authenticator to authenticate so it doesn't authorise every future transaction. If the phone is lost or stolen the shared secret can be disabled meaning that the authenticator will no longer authenticate.

    2. Strahd Ivarius Silver badge

      Re: Non compatible with regulation

      Wasn't there an EU directive mandating banks to switch to application-based MFA?

  17. 9Rune5

    Someone - maybe even you - requested authentication

    I love MFA, except for one niggle: Eventually my session will expire. With more than one device involved, this timeout might occur whilst I'm slouching on the couch and one of my computers is humming away in my little office.

    The Authenticator app does not bother telling me who initiated the signon. I'd love to know which application (was it Outlook? some Azure app?) and ideally IP address (someone in China or my own connection?).

    At least then I would know which of my six browser windows (each filled to the brim with tabs) to check.

  18. J.G.Harston Silver badge

    Plus login is a noun. You need a verb there, viz: log in.

  19. Uplink

    Drop all that

    Authy user here, because of the convenience of SMS, with the knowledge that the private keys are mine. It survives across resets, and I can satisfy my ADHD by having it on multiple devices easily.

    Ideally, SIM swapping should be fixed.

    Getting an SMS to show that I'm in possession of my phone is very convenient, and it seems easy to implement at the login provider end even when they have code monkeys (a totally different security issue altogether)

    It also works on dumbphones, for those who don't want to be tracked by Zucky, Gates, et al.

    It is universally understood by people who otherwise don't know their Google from their Facebook.

    The processes and PSAs should be as simple as a 5 year old can understand ("don't talk to strangers who call you out of the blue claiming to be from your bank, phone company, utility, dentist, child who's had an accident, investor who has the latest scheme to make you money, etc.) and the professionals can stand behind of.

  20. Daniel Feenberg

    A better way to use a phone as a second factor

    Duo Security offers a variation on the phone as second factor. One of their authentication options is to make a voice call to your phone, and ask for a pin to be entered on the phone keypad. Wrong pin, no login. This means that a stolen phone or SIM won't work to authenticate. It also means that landlines will work as a second factor.

  21. Anonymous Coward
    Anonymous Coward

    "except where public switched telephone networks are involved"

    And offer their own remote controlled "application" as a replacement. Blatant advertisement disguised as "security advice" and MS just wants to be gatepkeeper instead google authenticator.

    No more, no less. At least here in North phone networks are *much* more reliable & secure than any 'app' running in a freely exploitable phone.

  22. Anonymous Coward
    Anonymous Coward

    Microsoft Authenticator - as my beloved employer uses it anyway - required mobile data to set up on my phone but thereafter works on wifi. As far as I can see, anyone with access to my mobile phone number could take control.

  23. Barrie Shepherd

    Authentication using over the air mechanisms to mobile phones are all very well - when you are in your home country within coverage range.

    If you have the audacity to be overseas (OK not these days) they fail when the 'interconnected roaming networks' don't deliver the SMS for 20 or 30 minutes, or never.

    Personally I like my dongles, served me for many years and either of them works with both the banks I use (which surprised me)

  24. MachDiamond Silver badge

    Segregation

    I keep my financial stuff offline. I don't need 24/7 access to my retirement, savings, money market accounts and don't want to let anybody else have access either. Maybe some time down the road I will want something available and I'll likely open an account that isn't linked to any other account and put money in it from time to time. That should limit my exposure. A mobile is easy to nick so if you have your banking on the phone, it's not going to be all that hard to have your money off you if they get it. I get really angry when I'm "verified" by the number I'm calling from. My phone doesn't ring every 5 minutes so I might not realize it's gone for a while. If I do see it's missing, how do I contact the bank and other institutions? I'll have to get home and pull out the sheaf of dead treeware and then try to convince the person I get a hold of that I'm me. Their script will likely have them asking you to verify the code they just texted you even after you tell them your phone's been nicked.

  25. FXi

    Not a good solution either

    Apps fail and get compromised too. And they have privacy issues where SMS does not carry that burden "yet". Worse, now you want me to have yet another "app" stuck on my device to help with someone else's security. And it won't be long until every single party has their "own" app such that we have 20 different varieties of the same thing. All that to fix the fundamental issue that we simply don't have good security on our phones or on SMS. Gee we need a rocket scientist to understand that.

    Meanwhile, SIMPLY adding 2FA via SMS stops 95% of most attacks. That's not 100% and yes sim swapping (mostly involving an "insider" which is the Achilles heel of almost every security methodology on the planet) still exists as a weakness. How about addressing that as the problem?

    More Apps is a path that has a plague of issues, compatibility, age of the device, operating system version and weaknesses if not up to date, that just don't make that a so much "better" choice. And we aren't even counting the fly by night security apps that will pop up all over the place and bring the next wave of who do you trust with you data. The goal MS highlights, that existing methods need improvement is valid. The route to answers just brings more problems.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like