Microsoft Urges Users To Stop Using Phone-Based Multi-Factor Authentication

Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys. From a report: The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft's behalf, urging users to embrace and enable MFA for their online accounts. Citing internal Microsoft statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts. But in a follow-up blog post today, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from telephone-based MFA. The Microsoft exec cites several known security issues, not with MFA, but with the state of the telephone networks today. Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.

Nuance lacking

[sinij]

It is SMS-based MFA that is bad idea. You could have a system that uses TPM and signing as a proof to have a very secure MFA.

Risk?

[bagofbeans]

What's the risk of voice call to a landline? No SIM swapping risk.

Re:

[cayenne8]

What's the risk of voice call to a landline? No SIM swapping risk.

Who actually has a land line these days?

Re:

[sinij]

While risk is lower, because knowledge of how to attack landlines is lower, it is still possible to port a landline number in what is effectively an equivalent of SIM swapping attack.

Re:

[Anubis IV]

Landlines are still unencrypted, so a dedicated attacker with some basic awareness of POTS can easily listen in. Alternatively, there have been several reported cases of attackers posing as customers, transferring the landline to a mobile line, then taking the call, bypassing any physical advantages landlines provide.

E-mail and sms authentication hazard

[goombah99]

All your password recoveries for banking as well as TFA run through your phone. So is someone has access to your phone, can sim duplicate, or an app can exploit a security hole you are ruined.

I like to keep two e-mail accounts. One for banking type things, and one for everything else. I don't store the authentication for the banking one on the phone.

However this is nuiscance. Because I seldom log into the banking one I also fail to get notifications in a timely way.

I wish banks would recognize this and l

Re:

[Darinbob]

I coworker recently broke his phone. He got a replacement, but was unable to get work done. Could not login to outlook, could not login to the Microsoft cloud, could not pull or push from git, could not use VPN, and could not even open a support ticket with IT. Nothing could be done remotely except to phone in to meeting with voice only (thankfully some phone still support voice calls). It was a few days before he was back up and running.

The problem with MFA is essentially what happens with things go wr

Re:How the h* you miss the money in SMS

[nitehawk214]

Sure, but SMS is inherently insecure. It is possible for authenticator apps to cost less for Microsoft and be more secure.

Forgot forced monitoring phone

[will4]

My company policies include forcing me to install anti virus, remote push and other apps on my personal cell phone if I use an app based 2 factor authentication for work email.

#1: It's my personal phone
#2: the company cannot add any sort of apps which may be collecting telemtrics on me to my personal phone

The best illustration is, can the company force me to wear an ankle monitoring device which uses cell signals to report my movements?

Obviously not. So why does hiding it under "better security" justify thi

Re:

[sinij]

Transfer your phone plan to SO, tell your company that you do not own a phone and it is provided to you by your spouse, inform that your spouse does not consent to such use, and ask them to provide a work phone to you.

Personally, I keep a landline and tell everyone that this is my official phone. If they want something else, they have to provide it to me.

Re:

[DarkOx]

Lots of employers have conditions like "you must have reliable transportation" for employment. I am sure they can just say, "you want to work here, then get a phone"

Re:

[nitehawk214]

Phones are so cheap that it is entirely stupid for a company not to provide one if one is actually necessary.

Re:

[ceoyoyo]

Also, any phone based authentication is a pain in the ass if you ever have to change your phone number. I still have a number from the last city I lived in specifically because I'm afraid I'll forget to change some critical account somewhere.

Microsoft's authenticator app is actually pretty slick. Much more convenient than SMS.

Re:

[nitehawk214]

Yeah, I implemented a google authenticator integration at work. Its easy to do and works fine.

Re:

[skids]

Microsoft's authenticator app is actually pretty slick.

It's actually bottom of the barrel. Stuff like Duo at least lets you tell the user what service they are approving access to, doesn't stack up multiple requests in the same notification bar so you can't tell them apart, and server-side has a REST API that lets you track individual authentications by cookie and can configure timeouts and other important parameters. I haven't looked at it yet but I wouldn't be surprised if PrivacyIdea (FOSS) is more full featured than MS Authenticator.

Re:

[jrumney]

App based is also a pain in the ass if you ever lose or damage your phone. Phone based is significantly less hassle in this case, as I can walk into a phone store in any mall and get a new phone with the same phone number, but the TOTP keys are unique.

Re:

[ceoyoyo]

TOTP is open. It's not tied to your phone. Take the key and put it in your password manager, or write it down and put it in a safe.

Re:

[necro81]

How the h* does anyone not realize that it costs more money for Microsoft to use SMS and more money to support two ways to do the same two factor authentication (app based and SMS based)? Put one or two critical questions in the article summary instead of just parroting the lead two paragraphs.

Welcome, Oh Wise UID > 7,000,000!

Is it not possible for both to be true at the same time, that 1) SMS-based MFA is more expensive for an organization to run, AND 2) it is also vulnerable in ways that app-base

Re:

[tepples]

SMS-based MFA reassures the organization's advertising sales department that each user has enough disposable income to maintain a valid subscription to a globally unique line of cellular service with unmetered incoming SMS.

Just don't lose your phone

[CubicleZombie]

My phone broke, taking Microsoft Authenticator with it. For the three days it took to get a replacement, I couldn't work at all.

Not to mention one place I was working, I couldn't get a cell signal inside the building. So three or four times a day, I'd have to take my laptop out into the parking lot to reauthenticate. Very annoying.

Re:

[sinij]

For this very reason I have a dedicated smartphone that only used MFA. It is very cheap to pick up used Samsung phone with a cracked screen, load custom distribution [wikipedia.org] (or just wipe it if you are lazy) and use it for MFA. Also, damaged screen would remove temptation to use that device for other purpose.

TOTP doesn't need to go on a phone

[martynhare]

The "something you have" can be the PC you actually normally use to log on to services. You can use TPM/Enclave virtual FIDO/U2F authentication with TOTP as a backup and then you don't need a phone or a fancy FIDO/U2F token if you don't want it. KeePass with TOTP Tray Plugin (for desktops/laptops) and KeePassium (for tablets) means you can sync your passwords and 2FA with whatever tool of choice you desire, whether it be using cloud providers, LAN-based services or entirely offline.

Alternatively, if you lack a TPM just use WinAuth backed by DPAPI+Password if you want to use your existing browser keychain for password saving while having TOTP 2FA on your PC in a reasonably secure manner. In the year 2020, there is NO reason to need a phone or use SMS codes at all for 2FA.

Re:Just don't lose your phone

[DarkOx]

I couldn't get a cell signal inside the building

which is pretty good argument for app based authentication vs SMS. Most of those are TOTP or HOTP. Which does not require any communication with the service after the initial key is obtained once when you first set it up. Given these can be easily transferred by just typing it in or a QR code scan there is not dependence on network access at all.

Re:

[ceoyoyo]

Nor for a cell phone. TOTP and HOTP are open protocols. You can write your own generator program, or use one of the modules in your language of choice.

Re:

[WaffleMonster]

which is pretty good argument for app based authentication vs SMS. Most of those are TOTP or HOTP.

I completely disagree. These schemes are to put it bluntly total crap due to lack of cryptographic channel binding.

The most standardized, cheapest and widely used MFA scheme are client certificates which are properly cryptographically bound and dirt cheap with a variety of hardware and software options.

Given these can be easily transferred by just typing it in or a QR code scan there is not dependence on network access at all.

Ditto for PKI.

Re:

[Pascoea]

I couldn't get a cell signal inside the building...I'd have to take my laptop out into the parking lot to reauthenticate.

Your building doesn't have WiFi?

three or four times a day

Did you miss the "remember my device for 30 days" or "keep me logged in" (or whatever they call it) check boxes?

For the three days it took to get a replacement, I couldn't work at all.

Check the "I don't have my mobile device with me" section here: https://docs.microsoft.com/en-... [microsoft.com]

Re:

[EvilSS]

Did you miss the "remember my device for 30 days" or "keep me logged in" (or whatever they call it) check boxes?

To be fair, with Azure AD you can disable that checkbox. So it's possible their admin did just that.

Re:

[Pascoea]

You're 100% right, but I think I'd be having words with my Admin if I had to use MFA every time I opened outlook. There are loopholes in my other snarky comments as well: The "I don't have my mobile device" has to be set up prior to losing/breaking your phone. And it's plausible that the building won't let their phone on WiFi.

Re:

[Darinbob]

Actually, what do you do if you lose your phone? It happened to a coworker and he was out of commission for several days. Outlook doesn't direct you to a recovery page, it just fails to authenticate. You can't get to the main internal web pages with IT info because you can't authenticate. I don't even know the email or phone number for IT without going to the internal corporate web page... So unless you wrote down the instructions somewhere and remember where you put them, you're stuck schlepping the in

Re:

[Pascoea]

Obviously ymmwv based on what the Admins have set up. For us, the only time Outlook asks for a password/MFA is when you change your password. Open Outlook, it bitches about not being able to auth, and asks you for your password. You provide the password and it bumps you to the MFA screen, asking you to approve the request on your mobile device. That MFA screen has a link that takes you to the "authenticate another way" webpage. I haven't used it in a while, but I think it asks for your recovery email a

Re:

[Darinbob]

I use that checkbox, but at least 5 times I day I am fumbling for my phone because all the services are not synched to each other. There is a "single sign on" but it's only a fraction of the stuff actually needed for me.

("Single sign on" sounds like a euphamism for "single point of access breach", and security in the "cloud" seems less secure when your virus riddled home computer with keyloggers is now allowed to connect. I don't think it's a coincidence that the amount of mandatory computer security cour

Re:

[omnichad]

If their admin is competent enough to find that, they'd be competent enough to suspend MFA on the account so the user can redo the setup.

Re:

[cayenne8]

Your building doesn't have WiFi?

That is not uncommon in environments that require some semblance of security.

Re:

[Pascoea]

I understand, and to be honest I was just being snarky. But if there's no wifi is the presumption that he's on a wired network? So the process is to unplug, go outside, set up a hotspot, authenticate, go back inside and plug back in?

Re:

[pete6677]

You mean like hospitals? Nearly all of which have Wifi.

Re:

[BrainJunkie]

Did you miss the "remember my device for 30 days" or "keep me logged in" (or whatever they call it) check boxes?

Where I am at the moment those have no effect. It is something along the lines of "Do you want to be asked to log in less often?" and choosing Yes or No or ticking the "Don't ask again for 14 days" box, or any combination thereof, results in the same frequency of authentication requests.

Microsoft also built its Authenticator app and the interaction with other productivity apps in a way that is bizarre. There is no way to easily tell when an app, like Outlook, has called Authenticator and brought it full

Re:

[Pascoea]

Honestly, I don't have an issue with the "don't ask me again" feature. It seems to work for me until I change my network password, then it's chaos. The joke around here is "Oh shit, it's password change day. Guess I'll see you guys online tomorrow." As far as your other points, spot on. The whack-a-mole game of "which app is asking for auth now" is a fun one. Skype, Outlook, Teams, Office... giant pain in the ass.

Re:

[Ken D]

And isn't it fun when something that memories your credentials keeps retrying your expired credentials until your account is locked?
I love password change day! I'm on P4ssw0rd7! how about you?

Re:

[Pascoea]

123456!

Re:

[Darinbob]

This part is a bit confusing. I would think this would apply mostly to consultants who use their own laptops. Their authentication works great everywhere until they have a client in a big cement building and lots of metal frameworks in the walls and ceilings. If the employer was the one requiring SMS authentication for their work laptops and IT hadn't figured out the problem with that, then it would be somewhat bizarre (and typical for CIOs).

I worked with a place that had a cellular antenna on the roof a

Re:

[Pascoea]

Normally don't reply to ACs, much less ones that can't figure out how the quote tags work here...but, eh, what the hell.

Not all carriers service all locations like they advertise. Not all of us get to pick and choose where we are working. Some of us go to where the work is.

How is that relevant to the WiFi discussion? That's the root of the problem, his Cell didn't work in the building, so I asked if they used the WiFi.

Did you miss the "remember my device for 30 days" or "keep me logged in" (or whatever they call it) check boxes?

If you're using a laptop in a location with spotty cell service and the device goes to sleep/standby and you're connected to a VPN, not all VPN's allow you to reconnect without re-authing.

Hence the reason for the "remember my device" checkbox. We're talking about the "Don't ask me for X days" checkbox on the MFA check. You still have to enter your password, but telling MS that you don't want to be asked to use your MFA key fo

services must support multiple authenticators

[nicolaiplum]

The problem of your single authenticator breaking is a serious one. For services with 2FA and poor customer service (Facebook, retail Google, etc) you can face significant problems setting up a new authenticator without the old one.

The obvious solution is to permit multiple authenticators, of multiple types. I have seen some that do, but almost none of them are commercial solutions (they are in-house solutions instead).

You should be able to install and run push authentication apps (like the Okta app, for example) on multiple hosts. You should be able to have multiple Google Authenticator apps on different devices [1]. Multiple secure hardware tokens should be supported.

A major reason why I don't have 2FA on some services (just a very long password in a password manager) is because of the nigh-impossibility of authenticating yourself without the authenticator if it breaks.

[1] Yes, you can store the Gauth seed and install it more than once to generate the same number sequence, but storing the seed is a major security problem itself. How do you guard the seed? With more 2FA? That is not helping. The service must support multiple concurrent Gauth seeds for each user.

Re:

[DarkOx]

The obvious problem with that is, I have no idea if the cleaning crew let someone into my locked office and they helped themselves to my back up token from desk drawer, while I am remote.

The point of authentication is to be sure about identity if you allow people to have multiple tokens you reduce the likelihood all of said tokens remain under their personal control. This lowers the integrity of the system over all.

Re:

[AmiMoJo]

Just keep your backup token in an encrypted file and make sure it's well backed up and distributed.

Keepass is a good for this. Multi-platform, supports cloud storage for easy sync and that way you will end up with multiple backup copies across various devices.

Re:

[Darinbob]

If the point of authentication is a phone, which currently is high on the list of things that are often stolen or broken, then it's a problem. For some non-work services, what do you do? Well, go to the main website for WoW, enter your username and password, answer some random questions about your mother's maiden name and what high school you went to, and... do exactly the same old thing you did before 2FA.

Reminds me of my first post-college job. They wanted my social security card as proof of my identit

Re:

[thegarbz]

The obvious solution is to permit multiple authenticators, of multiple types.

Which Microsoft does... so the real problem is actually end users not understanding how software works.

Re:

[AmiMoJo]

I use Google Authenticator and it allows you to export your auth tokens so you can keep a secure copy. Most sites that support 2FA also let you generate recovery codes which you should also keep somewhere safe.

Keepass is a good option for storing all this stuff. There are plug-ins for those kind of time-based passcodes and of course you can keep all your recovery codes in there.

Not sure why signal was an issue, Microsoft Authenticator and similar apps don't need internet access to work. The codes are genera

Re:

[thegarbz]

I couldn't work at all.

So what you're saying is you didn't setup a backup authentication method (of which Microsoft supports 4) and then you didn't click "sign in a different way" when presented with the authentication required screen on the PC?

I mean yeah that's quite silly isn't it. Now that you've learnt from that may I pre-empt your next problem and remind you backups are also important.

Re:

[bloodhawk]

that would be the fault of whoever setup your MFA for you. You should have multiple options/fallbacks, not be 100% reliant on a single factor.

SMS and Email APIs just as bad

[Pimpy]

Google and others have also started allowing apps to hook the SMS and Email APIs to auto-intercept the token and pass it on to the app via deep linking, requiring no actual intervention by the user. Brilliant.

A good password

[ugen]

A good password (that is not shared across accounts) beats any amount of Rubegoldbergesque "MFA" (which, primarily, serves to deny legitimate account holder access in the situations where it is needed most urgently).

Re:

[AnonyMouseCowWard]

Agreed. MFA is in theory more secure, but in practice it's just one more layer of complexity for normal people, and it means if I change my phone number or my e-mail gets hacked I can also no longer login to my bank account.

Re:A good password

[DarkOx]

Not really. A good password might still be vulnerable to replay attacks, sniffing, lifted from wdigest, if you PC is compromised etc.

Having a one time value calculated on an external device really does provide protection against a number of threats password alone cant fully address.

Re:A good password

[ugen]

While that is true, MFA is also vulnerable to many attacks (primarily confidence and social engineering kind).

Regardless, any added security value of MFA is completely negated by its capability of denial-of-access. If the service protected by MFA is sufficiently important to warrant MFA, then that service is also sufficiently important that losing access to said service at an arbitrary point in time due to MFA is not acceptable.

For that reason, I use my own hosted email (and a voip based verification phone that forwards to the email).

If I were to rely on gmail/hotmail, which force a type of MFA on me, in particular when away from the home IP, that would, in turn, propagate to banks, financial service accounts, airline accounts and such (which themselves require MFA over email or phone). And that would (and did, in the past) result in me not being able to access these services, usually at the time when access is required immediately and not having such access could cause financial loss or worse.

BTW, I wonder when Apples "find my iphone" will begin requiring 2FA to mobile device :) :)

Re:

[DarkOx]

I agree its a problem. The thing is no MFA tech is really going to solve it.

There are services where I'd rather be locked out of and have to do something inconvenient to get back into than clean up what someone does with unauthorized access. Bank is a good example. If I get locked out of my account, well I have credit cards, a paper checkbook, and some cash around. I can probably survive long enough even if I am traveling to where I can eventually show up an bank branch in person with whatever documentat

Re:

[ceoyoyo]

How is an open protocol one time password generator vulnerable to denial of service?

Or are you equating "MFA" exclusively with the very SMS/e-mail based systems that MS is discouraging?

Re:

[G00F]

also with a bank not only are you able to continue to use their service, but you have multiple paths to get around being locked out of said account. With google and many others you have zero options.

Even if you somehow manically get in contact with someone at google, they will simple cite using their existing path that has you locked out.

Re:

[swillden]

MFA is also vulnerable to many attacks (primarily confidence and social engineering kind).

Security keys aren't. I mean, I guess in theory you might social-engineer someone to meet you and hand over their key, but people are more automatically protective of physical objects.

Re:

[WaffleMonster]

Not really. A good password might still be vulnerable to replay attacks, sniffing

Replay attacks? Sniffing? lifted from wdigest? When you use secure zero knowledge key agreement schemes such as TLS-SRP readily available in current TLS stacks these things are a non-issue.

The real problem isn't passwords. The real problem is the worlds love affair with completely INSECURE web login forms. Relying on non-mutually authenticated TLS alone has proven to be insufficient and dangerous as it fails to protect users from phishing and similar treachery countless millions have unnecessarily fal

A password manager

[wiredog]

With a good passphrase. Put all your eggs in one basket, and guard the basket.

Otherwise you have to remember, or write down, too damn many pass phrases.

Re:

[AmiMoJo]

Password manage with 2FA.

Keepass supports that but only on some platforms unfortunately.

Re:

[swillden]

A good password (that is not shared across accounts) beats any amount of Rubegoldbergesque "MFA"

No. Passwords are phishable. And if you think you're too smart to be phished you're fooling yourself.

Actually, this is also a big problem with SMS-based 2FA, as well as HOTP and TOTP solutions (though SMS has other problems that HOTP and TOTP don't). Those are a little harder to phish, but they're also ultimately phishable. Security keys are far better, though not as widely supported.

(which, primarily, serves to deny legitimate account holder access in the situations where it is needed most urgently).

No, you just need multiple second factor options. Security key + TOTP + backup codes is pretty good. Of course multiple opt

Re:

[WaffleMonster]

No. Passwords are phishable. And if you think you're too smart to be phished you're fooling yourself.

Not if you use a secure authentication method. Clear text login over TLS is NOT a secure authentication method.

People think passwords are this and that not because they inherently are but because we have a world full of people addicted to insecure adhoc web login forms. The predictable result of that has been countless millions of people owned.

Re:

[swillden]

No. Passwords are phishable. And if you think you're too smart to be phished you're fooling yourself.

Not if you use a secure authentication method.

Do you know what phishing is? The way the password is submitted for authentication is completely irrelevant. Well, except in the case that the phisher actually can't get access to the place they need to type the password in, in which case the password itself is irrelevant, but that's not generally applicable.

Re:

[bloodhawk]

No it doesn't. If a keylogger, phishing, camera, various other hashing attacks or just a lucky brute force guesses your password they have control. with MFA it is not enough that they got your password. Your entire account is vulnerable to a single successful attack without MFA.

Re:

[WaffleMonster]

No it doesn't. If a keylogger, phishing, camera,

Crummy SMS MFA schemes do not address ANY of this.

If they can get your password via keylogger or camera they can get one time code the same way. One session is all that is necessary to steal all of your private data or transfer all of your money.

If they can successfully phish you the phishing site can simply proxy your entry of MFA code and login as you because these crummy schemes are not cryptographically bound to underlying session.

various other hashing attacks or just a lucky brute force guesses your password they have control.

Hashing attacks don't work against secure authentication protocols and o

Re:

[WaffleMonster]

A good password or passphrase doesn't protect against snooping or against phishing and similar social engineering attacks, which are what 2FA are designed to defend against.

Yes it does. All you need to do is use a secure authentication protocol. Zero knowledge key agreement schemes are able to provide both parties with proof of possession over completely insecure channels without leaking any material that can be leveraged (e.g. digests/challenges) for offline compromise.

Using a secure authentication protocol to login to an attackers service wins the attacker NOTHING. The login fails, the user hopefully realizes their mistake, nothing good happens to the attacker and nothing

Where are the tags?

[GameboyRMH]

I want to tag this "suddenoutbreakofcommonsense" but the tag system seems to be gone.

I've always avoided phone-based MFA for this exact reason. It makes you vulnerable to SIM-swapping etc. A good strong password is hard to beat, add a keyfile or OTP authentication if you're really paranoid.

To clarify, stop using SMS and voice calls as MFA

[UnknowingFool]

MS is saying to stop using SMS text messages and voice calls as authentication because they are not as secure. They did not say to stop using apps on smart phones or desktops.

Re:

[thegreatbob]

I also wonder how much the cost of running the infrastructure weighs in on their attitude.

Re:

[EvilSS]

For corporate accounts with Microsoft, you have to have paid subscription (AzureAD P1 or P2), or a usage based paid account to use those methods anyway. The free AzureAD only supports app based authentication.

SMS Usually Only Solution Disaster Recovery

[Gutspawn]

I toss recovery codes in a safe, if a service supports em. Most donâ(TM)t seem to. That means Iâ(TM)m screwed when I inevitably lose my phone, or if I havenâ(TM)t used the service in 5 years and never migrated my MFA app. SMS keeps ticking, forever. One trip to the phone store and all services are back in business.

Re:

[PPH]

One trip to the phone store and all services are back in business.

Exactly what the port out scammers (SIM hijacking) are thinking.

So fix the ACTUAL problem!

[Comboman]

So the real problem isn't that SMS is insecure for MFA, it's that the phone company's process for porting phone number isn't secure. THAT is the security hole we should be trying to fix. I should have to go the nearest phone company outlet and show them some photo ID before they port my number to a new SIM, or a least give them password that I picked when I signed up for the number (and if I forget, I can go down and show my ID).

Re:

[PPH]

You should have to. But half of the people standing at the outlets' service desks crying are those who lost their passwords, wallets and everything. And since their life is tied to a phone number, they are screwed. The other half are SIM hijackers are crying about how their life is tied to a phone number and they are screwed.

You can propose any security protocol you'd like. But the hijackers will always come up with a story about why they simply have to have call forwarding through some anonymous Internet

Re:

[ledow]

I use TOTP via things like Google Authenticator.

And you can backup the seeds and have them on multiple simultaneous devices, and even offline (so long as your clocks are even vaguely correct).

And you can then store a QR code with the seed if you want to get really paranoid, or generate a one-time list of backup codes.

Pretty much everything I deal with supports TOTP in some fashion, usually in a way compatible with Google Authenticator.

Hell, I deployed the same in work for half-a-dozen services.

Re:

[ceoyoyo]

Judging by the comments, I think half of Slashdot doesn't have the slightest idea how TOTP works. Sad.

If you don't know and you're reading this, go take a look. It's pretty cool.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Dumbphone users?

[clawsoon]

I'm a dumbphone user. My workplace just set me up with SMS MFA. Will any of the recommended methods work for me?

Re:

[Bomazi]

You can use a mobile signature with on-board key generation. All it requires is the SIM toolkit, which all phones support. One marketing name for this is Mobile ID. You might need a new SIM card though, and this functionality is often not offered on prepaid cards.

Re:

[clawsoon]

Interesting. So this is available for my ten-year-old Sony Ericsson candybar phone [gsmarena.com]?

Users aren't the problem

[Comboman]

Microsoft should be talking to webservice owners, not users. Very few webservices even offer a choice of which MFA path to use (if they offer MFA at all).

Re:

[LostMyAccount]

Two of my financial institutions just started offering/mandating the use of 2FA for web logins and they both use SMS codes, with no TOTP option at all.

AFAIK, at least of these institutions has offered RSA keys for commercial accounts for years (as I have seen the branded keychain tokens on people's desks).

Either these companies are lazy and only want to support the lowest common denominator system (SMS) or there's something they don't like about TOTP systems.

this sucks

[fluffernutter]

I use an Android device for my day to day but I have an iphone for testing. For some reason when i need to do anything with my Apple account it only comes up on my iphone so i need to go hunting for it and charge it and use it. If any off these password alternatives lock you into using a certain device that i may or may not have in working order i dont want anything to do with it.

NIST said 2FA over SMS was deprecated

[at10u8]

Remember that in 2016 NIST said 2FA over SMS is deprecated [schneier.com]. Follow the thread in that Schneier article and the links to see that within the year lobbying by agencies who had invested in getting their customers to use 2FA over SMS led NIST to remove the deprecation.

china did it

[fulldecent]

WeChat has TFA figured out so well. Americans can learn. Here is the experience that will have people actually wanting to use an authenticator app:

1. You want to login to a website (let's say on your computer)
2. The website shows you a QR code
3. You scan that QR code and click login
4. The website on your computer knows you are logged in and loads the next page with no click

---

And, this workflow also works for account creation. AND when creating an account it allows you to choose whether to use your real identity or to create a new burner identity on the spot using a random picture and name. AND it doesn't give the service you are logging into your email address.

Ease of use is paramount

[bradley13]

Remember the saying: "perfect is the enemy of good enough"? Getting a plain-test SMS with limited-time validity is good enough. Actually, if it stops 99.9% of attacks, it is more than good enough.

App-based authenticators - I think I have 5 on my phone right now. Actually, it's my temporary phone, because my actual phone is in for warranty repairs. So I had to move all those authenticator services to the temporary phone, and will have to move them all back. Each one with a different process, sometimes easy,

Re:

[omnichad]

Good enough for security, but requires cellular service in places where you may only have ethernet or wifi.

Re:

[dotancohen]

I've just researching authenticators now. Does not the LastPass Authenticator replace many others?

Screw MFA altogether

[smooth wombat]

I shouldn't have to be harassed to use the product I've purchased. You have my information, that's all you need to know. You don't need my phone number, you don't need an external email address you, don't need to force me to install spyware on my machine or phone just to use it.

The same with my desk phone. If you are not logged into the phone with your MSFT account, you can't use the phone except for 911. You read right. The phone is a paper weight unless you are signed into it. This means if I'm working somewhere and suddenly need to use a desk phone, unless someone is logged into their phone, it can't be used.

Even better, when you change your system password, you have to reauthenticate your phone because there's no communication between it and the password you just changed even though both are linked to your MSFT account.

Even though it's a few years away, retirement is looking better and better. Not having to deal with this waste of time shit will be wonderful.

MFA usability is not there

[juancn]

It's so fucking annoying to use. Also, the "what happens when I lose my second factor" is a nightmare.

You either get locked out of *all* your accounts using that second factor, or the security wasn't there in the first place, just the annoyance.

I can easily copy keys in the real world and give them to friends and family for backup. MFA keys, are expensive, and hard to use. The cellphone versions are not much better. You lose your phone, gets stolen, it breaks. What do you do then? It's not like you can call a locksmith.

I tolerate them for banking, because I can go to the bank with my id and request access again. There's someone to talk to. But tech companies? Forget it.

Re:

[swillden]

It's so fucking annoying to use.

Security keys are not.

Also, the "what happens when I lose my second factor" is a nightmare.

Yeah, backup options are mandatory.

But which authenticator(s)?

[mikeebbbd]

And which web sites? MS obviously wants people to use their authenticator app. I kind of have to, since I use if for MFA for a MS Account and for a workplace that's totally in the MS O365 camp. But the MS Authenticator doesn't work if Google wants to use an app - must have the Google Authenticator. Do we go on to the Apple Authenticator, Netflix Authenticator, and even p0rnhaus authenticator? I already have too many apps on my phone, and I don't need a gaggle of alleged authenticators.

The reason SMS authent

Awfully misleading headline alert!

[Photo_Nut]

Microsoft recommends you use app based approaches instead of SMS codes because the phone network is subject to unreliability and hacking attempts and the codes are subject to human fishing approaches. Those 2FA apps run on your phone are what they recommend.

The headline reads "Microsoft Urges Users To Stop Using Phone-Based Multi-Factor Authentication"

Re:

[Pascoea]

Unless the system is open source I am not using it. Microsoft is not open source.

Fixed that for you.

Re:

[DarkOx]

AFAIKT MS Authenticator is bog standard TOTP so you should be able to use any implementation you want with MS services, open source or otherwise.

I am using Google Authenticatior because it was already on my phone when they turned MFA on our o365 and it works fine.

Re:

[JThundley]

Does Google Authenticator support Approve/Deny notifications like MS Authenticator does? I'm in the same boat as you and I'd rather delete the only Microsoft app off my phone (I switched away from Swiftkey when MS bought it).

Re:

[DarkOx]

Cool so you go look at the RFC and write you own TOTP calculator, so need not even audit anyone else's code. Its really simple. You could probably get a perl/ruby/python script going with no includes outside the standard libraries in an hour or so to run right on your laptop.

QR code reading will be harder to do without external software but most registration process have some kind of fall back where they will give you the seed so you can hand key for people with broken cameras etc.

Re:

[WaffleMonster]

Cool so you go look at the RFC and write you own TOTP calculator, so need not even audit anyone else's code. Its really simple.

And totally insecure.

Re:

[sinij]

These are not mutually exclusive. Modern iOS and Android paired with modern hardware is capable of seamlessly and securely generating keys and certificates, storing them in TPM, and using them for signing without exposing private key. APIs to write your own are there. Commercial solutions like Entrust Identity Guard are also there.

Re:

[dotancohen]

Have you tried the LastPass Authenticator? I've not used it, but I've heard that people are happy with it.