If you are aware of the dangers of an unprotected account, you might have enabled two-factor authentication (2FA) to prevent attacks from threat actors. 2FA is a security feature that requires a user to enter a code sent to their phone or email, in addition to their password, when you sign in. This way, even if someone steals a person’s password, they can’t access the account without the code.
However, Microsoft has announced that it will stop supporting 2FA via SMS and phone calls. Microsoft is now encouraging users to switch with notification prompts. Currently, Microsoft plans to discontinue SMS and phone-based MFA in October 2024, at which point all Microsoft 365 members will be required to switch their MFA methods. At that time, a person could be forced from using SMS 2FA.
People are being prompted to switch MFA methods now. While support for less secure 2FA methods won’t outright stop until October 2024, we are encouraging all of our clients to change now for increased security and a smooth transition. Switch methods now, while it is still in your power to decide to do so.
This means that you will no longer be able to receive codes through text messages or voice calls, and you will have to use other methods of verification, such as an authenticator app or a security key. Why is Microsoft making this change? Short answer: better security.
2FA vs MFA
What is the difference between 2FA and MFA? 2FA is a type of multi-factor authentication (MFA), which is a general term for using more than one factor to verify your identity.
A factor can be something you know (such as a password), something you have (such as a phone), or something you are (such as a fingerprint).
2FA is a specific case of MFA that uses exactly two factors. For example, if you use a password and a code sent to your phone, that’s 2FA. However, MFA can also use more than two factors, such as a password, a code, and a fingerprint. That would be three-factor authentication (3FA).
The more factors you use, the more secure your account is. However, more factors also mean more hassle and inconvenience for users. That’s why most services offer 2FA as a balance between security and usability.
Why is SMS 2FA Less Preferred?
Not all 2FA methods are equally secure. Some are more vulnerable to hacking than others. One of the weakest methods is SMS-based 2FA, which sends codes to your phone number via text messages. This method has several problems:
- SMS messages can be intercepted by hackers who use techniques such as SIM swapping, SS7 network attacks, or phishing.
- SMS messages may not be delivered due to network errors.
- SMS messages can be rendered useless if you don’t have your phone with you or if you change your phone number. If you lose your phone, you will have to have an administrator change your method of authentication.
Because of these issues, many security experts recommend avoiding SMS-based 2FA and using other methods instead. Some of the alternatives are:
- Push Authentication: This generates a notification on your phone via an app, such as Microsoft Authenticator. Once the notification is approved, a simple code exchange is done to prove that you are interacting with the service requesting authentication (this prevents MFA fatigue), and then you are allowed in. These apps don’t rely on SMS, and they are more secure than text messages.
- TOTP Authentication: This is a rotating code (usually 6 digits every 30 seconds) that you exchange with the service at the time of login. This method was pioneered by the Security Dynamics (later RSA) SecurID device in 1993, and was popularized in modern form via the smartphone app Google Authenticator in 2010. Most apps that support Push Authentication support TOTP Authentication as well. While slightly less convenient, neither the service nor the authenticating device need network connectivity at all, and this is frequently used in certain circumstances where push notifications are not feasible.
- Security keys: These are physical devices that plug into your computer or connect via Bluetooth or NFC. These devices act as a second factor that you touch or tap when you sign in. They are resistant to phishing and other attacks, and they are compatible with many services.
- Biometric factors: These login methods rely on a user’s physical characteristics, such as a fingerprint, face, voice, or iris. Most people will likely use fingerprints or face factors. These factors are convenient and hard to spoof, but they may not work well in some situations or environments.
What to do
If you are currently using SMS-based 2FA for your Microsoft account, you should have already switched to another method. If you haven’t yet, decide to do so now.
Otherwise, you may lose access to your account or create security risks for your organization. If you are a client of SpireTech, we will gladly assist you in changing to a more secure version of authentication. Switching to MFA for your organization is our recommendation for the best security. If your company is hesitant to switch, we will work together to find a solution.
By changing your 2FA method from SMS-based to app-based or key-based, you will improve your account security and avoid potential problems in the future.
Microsoft’s actions to stop supporting SMS 2FA is part of a larger trend in the industry to move away from less secure methods of verification and adopt more modern and robust ones. While this may cause some inconvenience for users who are used to receiving codes via text messages, it is ultimately a positive change that will benefit a company’s security and privacy.
If you are still using SMS 2FA for your Microsoft account, or any other account for that matter, you should take this opportunity to switch to a better method as soon as possible. You will be glad you did.