Microsoft is calling for not using multi-step verification via SMS wherever possible. The system is still more secure than just a password.
Alex Weinert, who heads Microsoft’s Identity Security, in a blog post on the company site, urges users not to use two-step verification via SMS where possible. These messages can be intercepted.
Weinert has long advocated multi-step verification, in which you need a hardware key, an app or SMS to log in in addition to a password.
According to him, the system stops more than 99% of phishing and hacking attempts on Microsoft accounts. But not every form of two-step verification is equally secure, he writes.
With two-step verification, where you receive the extra key via a text message or a voice message, there is still a small chance that the message will be intercepted, because those messages are sent via public telephone networks.
The keys are sent in plain text, as it is challenging to encrypt SMS messages. The time limit on keys sent via such a message is also longer, which means there is more time to hijack a login procedure.