Is the security of the Authenticator App weakened when adding Additional Security Verification methods?

Jesse Vaught 21 Reputation points
2020-12-02T06:15:56.707+00:00

If a user sets up an additional security verification method on this page https://aka.ms/mfasetup, or https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1, doesn't that defeat the purpose of using the Authenticator App in the first place? In other words, if someone has the Authenticator App setup and then they ALSO have an SMS number setup, couldn't an attacker just choose "sign in another way" and choose to receive an SMS code instead??

It seems to me that having this "alternative method" defeats the purpose of the app altogether. SMS codes are easily compromised with SIM swap or SIM duplication. This is the reason for moving to an authenticator anyway, so why then make SMS as your "backup" verification??

Also, if I understand this correctly - that it does in fact weaken your security, then WHY does Microsoft force you to add a backup method when setting up SSPR (Self-service password reset)?

Lastly, if you choose NOT to have a backup and upgrade your phone your hosed (unless you have another admin on staff who can revoke your mfa and force reregistration)!

Am I missing something?

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,492 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-12-02T08:05:35.867+00:00

    Hello @Anonymous · Welcome to Q&A platform and thank you for your query.

    It is not necessary to have SMS as backup method. You can have phone call as an alternate method and provide a fixed line/landline number as well.

    Having SMS/Phone Call as backup options is helpful in situations when you have to:

    1. Reset your phone to factory defaults
    2. Uninstall Authenticator app due to frequent app crashes

    And you need to setup Authenticator app again without engaging your local IT support which often causes unnecessary delay. Having Additional Security Verification methods is also helpful when you don't have internet access and can't receive app notifications but still want to access your applications.

    Keep in mind, MFA is a combination of below in this case:

    • What you know - Password
    • What you have - Phone

    If one of these is missing, account can't be compromised. SIM swap or SIM duplication will help only when your password is compromised too.

    WHY does Microsoft force you to add a backup method when setting up SSPR?

    This setting is configurable. You can choose number of methods required to reset password and what methods should be available to the user as highlighted below:

    44268-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest