Microsoft have announced they will direct users away from SMS 2FA (‘text-based’ two-factor authentication) for security reasons.
Instead, the company will promote multi-factor authentication methods they consider to be more secure – including biometrics and secure authentication apps such as Microsoft Authenticator – for logging into Microsoft services such as Microsoft 365 and Azure.
SMS-based two-factor authentication, where the user typically receives a passcode text message to their smartphone that acts as a secondary confirmation of who they are, has been a staple of online banking and many other secure online services needing two-factor authentication (2FA) for over a decade.
However many now believes even SMS can be intercepted, and would rather sign users onto authenticator apps or issue secure keys with encoded passcode generation.
Official Microsoft statistics state that users who enable Multi-Factor Authentication (MFA) on their accounts to verify identity block 99.9% of all automated account breaches. Using SMS-based two-factor authentication should not ‘stop’ doing so (despite the flaws of SMS, any 2FA is better than none) but users should consider swapping to other methods.
We’ve talked before about the often-predicted ‘death of passwords’ – and possible scenarios for their phasing out, but in recent years a number of big tech firms, including Apple, Google and Microsoft have all suggested their long-term plans that seek to replace passwords with biometric or other forms of login.
However this modification to Microsoft’s advice will see more of a driving force behind MFA as specifically biometric, authenticator app or secure-key based, rather than relying on mobile networks for one-time passcodes.
For cybersecurity expertise and support, please contact out IT team today.