If you're using your phone for multi-factor authentication (MFA) to keep your important accounts safe, Microsoft has a warning for you. We'll get to that in just a second, but first, let's be clear on what we're talking about. MFA is an additional level of security beyond just a user name and password. For example, it's when your bank sends you a text message with a six-digit number that you have to enter on the website in order to get access to your accounts.
The idea is that if someone were to get access to your user name and password--either through some kind of data breach, or simply because they were able to crack it--your account would still be safe since presumably only you would have access to the code sent to your phone. The problem is, that's not necessarily true.
That's why Microsoft is warning people that while using text messages or phone verification as a form of MFA is better than nothing, it isn't as secure as you might think. That's because your phone number can be hacked, spoofed, swapped, or stolen.
Specifically, Alex Weinert, Microsoft's director of identity and security wrote a blog post encouraging people to stop using their phone number for MFA. Weinert points out several reasons, including that SMS messages are not encrypted and that hackers have gotten very good at SIM-swapping.
I wrote about SIM-swapping last year--it's where hackers convince a phone company to activate someone's phone number onto their SIM in order to take over accounts. In fact, I argued it is one of the more dangerous threats when you think about how frequently we use our phone number as the default form of verification.
We use it to protect everything from bank accounts to credit cards to our work email and even social-media accounts. If someone were able to take control of your phone number, it's that much easier for them to gain access to your accounts.
Fortunately, there are better options. For example, both Microsoft and Google offer authentication apps for iOS and Android devices. Those apps allow you to use your device as an authentication key for your accounts. When you log in to one of those accounts, you have to enter a key generated by the authenticator app or tap a specific key to gain access.
They are often set up using a QR code generated by the account you want to secure, or by entering a specific key. For even more security, you can use an actual physical key, such as Google's Titan Security Key. These devices connect to the USB port on your device, or via Bluetooth.
One of the reasons why people don't opt for higher security is that it's a hassle. It just is. It's kind of a pain to have to jump through hoops just to log into an account. Most people probably get annoyed that they have to wait for a text message if they log on to their credit card account on a new device or for the first time in a few weeks. That additional level of friction when all you want to do is pay your balance can be annoying.
Then again, that's the benefit. If it's hard for you to log in because you have to enter a key from an authenticator app, or have a physical device connected to your computer, it's basically impossible for someone who has access to neither of those things. Which, of course, is the entire point. It's also why you should stop using your phone number and start using an app that's up to the task.