This falls into the “well, it is about time” category.
While text message based two factor authentication is, by far, the most popular method of two factor authentication, Microsoft said it should be avoided, along with voice based two factor authentication.
Why? Is two factor authentication bad? Or useless? No, none of the above. It is just that there more secure methods. They say that ANY form of two factor authentication significantly improves security.
They provide a list of reasons why you should move to other forms of MFA and we know that this will take time to adopt, so this is a good message to deliver now.
The way we have seen the most compromises of two factor authentication go down is by what is called SIM-Jacking, where the hacker gets the phone provider to transfer your number to the hacker’s phone. At this point, any text messages meant for you go to the hacker. This is still a targeted attack, but the target may be any high value situation. Banking, for example.
Migration to app-based authentication, which would require the hacker to physically steal your phone, is considered far more secure. One risk of it is what happens if you lose your phone. For that, many of the apps support sending an encrypted backup to the cloud, protected by a strong password.
Examples of (all free) app based authentication software is Microsoft Authenticator, Google Authenticator, Facebook Authenticator and Authy. Most websites that support app based MFA will work with any of these apps, even when they say to use one of them.
One strategy is to move what you consider high value target accounts to app based MFA first. For example, if it would be a problem if a hacker stole all of the money out of your retirement account, that might be a good first account to protect using this new method.
Credit: Helpnet Security