Microsoft MFA Warning Confusion: We’re Setting the Story Straight on Multi-Factor Authentication

Microsoft MFA (Multi-Factor Authentication)

The recent Microsoft MFA warning has caused some confusion, leading some to think that multi-factor authentication as a whole was the target. As cyber security experts we’re setting the story straight about what Microsoft was really saying and how MFA is still your best cyber security tool.

MFA aka  Multi-Factor Authentication: What It Is

Before you can use your computer or a smartphone, you have  to “authenticate” yourself, usually with a password or PIN.  That’s one-factor authentication. 

When you go to a gas station and use your credit card you might be required to enter your zip code. That’s an example of two-factor authentication (2FA): pairing something you have (your credit card) with something you know (your zip code). 

But cyber criminals are getting smarter and have found ways around  that so multi-factor authentication has emerged.  Basically simple but nonetheless scary to many people. 

Know what to do in a ransomware attack with our free checklist

Types of Multi-Factor Authentication (MFA)

All MFAs involve two-factor authentication (2FA). MFA also makes use of a one-time password (OTP) that is generated and changes often. When you log in, in addition to your username and password, you need to enter the OTP. But there are different ways you can get that OTP and some are more secure than others.

MFA Apps

Using an MFA app to generate your OTP is not included in the warning issued by Microsoft and is the most secure form of authentication.

You can download Microsoft Authenticator, Google Authenticator or several others from the App Store or Google Play. You then set up individual accounts within the app, which generates OTPs that refresh every 30 seconds. Whenever you’re prompted to enter an OTP, it’s as simple as opening the app to retrieve it.

With this type of MFA, cyber criminals will not be able access your account even if they have discovered your username and password because they don’t have the OTP. And the only way they could get the OTP is by physically stealing your phone.

Authentication By Text or Push Notifications

These types of authentication are part of the Microsoft warning because they are less secure than using an authenticator app.  

With the text method, when you sign in to your account with your username and password, it triggers an OTP to be sent to your phone number by text (SMS). That doesn’t happen with push notifications. The OTP simply pops up and then disappears. Sometimes the push notification doesn’t contain a code at all but just prompts you to say “yes,” “ok” or otherwise acknowledge that you triggered the notification.

Multi Factor Authentication App

They are less secure than MFA by app because cyber criminals can steal your phone number without ever getting a hold of your phone. This is a crime called SIM jacking (or SIM swapping). Because it is on the rise, SIM jacking is likely the reason for Microsoft’s warning. 

Microsoft warned against these two types of authentication because they want to encourage users to choose the app method (and site developers to include MFA by app as an option). While using the app method is preferable, it is not always available. It’s important to be clear that MFA by text or push notification is still better than having no MFA enabled at all

If you need to choose one of these methods, MFA by text is better than by push notifications, which are inconsistent and can be easily clicked by mistake. If you use either, make sure to check back from time to time to see if the by app method becomes available for that site.

Know what to do in a ransomware attack with our free checklist

Multi-Factor Authentication (MFA) Bottomline

Choose to enable MFA using an authenticator app  if you have the option. Don’t choose a less secure MFA method instead.

  • If the app method is NOT available, choose text.
  • If MFA by text is NOT available, choose push notifications rather than have no MFA at all.

There are times when you might not be allowed to have your smartphone with you, such as when working in high security areas. Hardware security keys offer even better cyber security than MFA with an authenticator app and don’t require a smartphone. The keys (e.g., Yubikey) are about the size of a USB with a screen to display your OTPs. Learn more about security keys.

MFA by email or phone call are not considered safe and are not recommended. Cyber criminals know how to mimic these prompts and use them to gain access to your systems.

So, if you are looking for the best cyber security protection methods available, give us a call for a free, no pressure consultant contact us or book a meeting.

Know what to do in a ransomware attack with our free checklist

Posted in
Jairo Avila

Jairo Avila

Jairo is the CSO of Internos Group and a partner. As senior client manager, Jairo connects our clients’ needs to our IT services so that it all flows together. With more than 23 years of experience in the IT industry, Jairo plays an essential role helping our clients develop a technology strategy and working with the Internos team to make sure everyone can breathe a little easier.

Would You Know What To Do in a

We’ve compiled an easy checklist to help you and your team know what to do if you get a ransomware attack. It’s a simple checklist with the essentials you need to minimize damage and prevent future issues. Here are some of the essentials it will include:

  • Immediate measures to take when attacked.
  • Ways to isolate the threat and eliminate it.
  • Ways to quickly run your backup and begin normal business again.
  • Prevention procedure so you don’t get hacked or don’t get hacked again.