With a large portion of people working from home in light of the ongoing pandemic, digital security and privacy has become more important than ever. And while we may not be observing the National Cyber Security Awareness Month (NCSAM) anymore, Microsoft has not given up on promoting cybersecurity initiatives.
Now, Alex Weinert, who is the Director of Identity Security at Microsoft, has penned a blog post highlighting the need to move away from multi-factor authentication (MFA) mechanisms which are based on publicly switched telephone networks (PSTN).
The executive has highlighted various reasons to let go of MFA systems based on PSTN such as SMS and voice. However, Weinert has emphasized that MFA itself is essential, it's just the way people use it that should change.
To that end, the executive has stated that mechanisms based on PSTN are the least secure MFA methods out there because practically every exploitation technique such as phishing and account takeover can still be carried out. This situation is only expected to get worse once attackers shift their interest to breaking MFA systems, which is dependent upon how much of the public use them. Furthermore, PSTN messages aren't adaptable to different users either, so the potential to further improve security via them is limited.
Weinert went on to say that attackers can deploy software to intercept PSTN messages inflight on most networks, which means that this is yet another unique attack surface that is there to be exploited by malicious actors. He further stated that:
It’s worth noting that most PSTN systems are backed by online accounts and rich customer support infrastructure. Sadly, customer support agents are vulnerable to charm, coercion, bribery, or extortion. If these social engineering efforts succeed, customer support can provide access to the SMS or voice channel. While social engineering attacks impact email systems as well, the major email systems (e.g. Outlook, Gmail) have a more developed “muscle” for preventing account compromise via their support ecosystems. This leads to everything from message intercept, to call forwarding attacks, to SIM jacking.
Unfortunately, PSTN systems are not 100% reliable, and reporting is not 100% consistent. This is region and carrier dependent, but the path a message takes to you may influence how long it takes to get and whether you get it at all. In some cases, carriers report delivery when delivery has failed, and in others, delivery of messages can take a long enough time that users assume messages have been unable to get through. In some regions, delivery rates can be as low as 50%! Because SMS is “fire and forget,” the MFA provider has no real-time signal to indicate a problem and has to rely on statistical completion rates or helpdesk calls to detect problems. This means signal to users to offer alternatives or warn of an issue is difficult to provide.
The executive also noted that regulations regarding SMS and calls change rapidly and vary from region to region, which may result in outages when using MFA systems based on PSTN.
Moving forward, Weinert has recommended that people utilize MFA using app-based authentication such as Microsoft Authenticator, since it tackles almost all of the problems with PSTN systems highlighted in his blog post.