On Tuesday, Microsoft Corporation advised Internet users to accept multi-factor authentication (AMF) … … except for public telephone networks …
Multi-factor authentication for those who have not paid attention includes adding one or more additional password based access criteria for authentication. For example, online banking can send a text message to the mobile phone number associated with the account to increase the chance that the person entering the account password is authorized to access the account.
This technique is not stupid, although it provides additional protection against attackers using different techniques to access the victim’s online account or guess the password. The AMF can also be used with the password manager: Think of multi-factor authentication as extra security.
In a blog post with Alex Weinert, director of privacy at Microsoft, Alex Weinert says that people should definitely use the AMF. He argues that accounts using any type of FCO represent a risk to less than 0.1% of the total population.
At the same time, it is stated that SMS or voice calls should not be used to handle one-time passwords (OTPs), as telephone protocols are inherently uncertain.
Who uses the 2FAs? Nice FA. Less than 10% of Gmail users support two-factor authentication
LEARN MORE
These mechanisms are based on public switched telephone networks (PSTN) and I believe they are the least secure method available to the FCO today, Mr. Weinerth said. This gap will only widen as AMF implementations increase attackers’ interest in hacking these methods and as purpose-built authenticators extend their security and usability benefits.
Hacking techniques such as SIM card swapping – where an attacker calls a mobile network operator claiming to be a customer and asks for the customer’s number to be transferred to another attacker’s SIM card – and more sophisticated network attacks such as SS7 hijacking have revealed vulnerabilities in the security of public telephone networks and the companies operating them.
Computer scientists at the University of Princeton conducted a study [PDF] earlier this year on SIM exchange, and their findings support Weinerth’s claims. They tested AT&T, T-Mobile, Tracfone, US Mobile and Verizon Wireless and discovered that all 5 operators were using insecure authentication tasks that can easily be hacked by attackers.
They also examined 140 online services using phone authentication to see if they can withstand attacks to replace the SIM card. And they discovered that 17 authentication policies allow an attacker to use SIM card spoofing to hack an account.
In September, security company Check Point Research released a report describing various spy campaigns, including the detection of malware used through the back door of Android to steal two-factor authentication codes from text messages.
Weinert states that SMS and voice protocols are not developed using encryption, are easily attacked by social engineering, depend on unreliable mobile operators and are subject to changing regulations.
His answer: Microsoft Authenticator, a mobile application for Android and iOS that allows users to login with fingerprint, facial recognition or PIN instead of password, and OTP for accounts that support these standards.
The authenticator uses encrypted communication, which enables two-way communication based on the authentication status, and we are currently working on adding more context and control to the application to help users secure themselves, says Weinert. Just last year we added blocking applications, hiding screen alerts, application connection history and much more – and that list will grow over time as you plan an implementation, and it will continue to grow as long as SMS and voice remain static.
For those who are more interested in working with Microsoft Gates, there are alternatives such as Twilio’s Authy, Cisco’s Duo Mobile, Google Authenticator and password managers such as 1Password and LastPass. Each of them would be improved via SMS and voice. ®
Related Tags:
verizon sim swap protection,t-mobile sim swap protection,how to tell if you've been sim swapped,sim swap software,sim swap trick,how to sim swap reddit,sim swapping tutorial,how sim swap works,sim swap telegram,sim swap detection,sim swap compensation,what to do if sim swapped,mint mobile sim swapping,sim swap – o2,google voice sim swap,sim flip meaning,sim swap attack india,how to do a sim swap hack,crypto sim swapping,sim swapping lawsuit,kyell a. bryan,smishing,pretexting,social engineering,phishing,sim swap ee,sim swap giffgaff,sim swap vodafone,how to protect your sim card from hackers,how to do sim swap