Most of the organizations including Microsoft are urging users to replace telephone-based multi-factor authentication (MFA) solutions such as one-time codes sent via SMS and voice calls with newer MFA technologies such as app-based authenticators and security keys.
Few reasons
SIM Swapping and SIM Tampering
In a SIM swap/SIM breach attack, a threat actor assumes your identity and convinces your carrier that they are you. Your phone number is subsequently assigned to a new SIM card in a different phone. In a SIM swap/SIM hack, threat actors do not require access to any of your physical devices to obtain access to your accounts; once your number has been switched to a device in their possession, they are able to receive all SMS OTP messages associated with your online accounts.
Lost and synchronized devices
In general, multi-factor authentication is regarded as the combination of two pieces of evidence that prove you are who you claim to be: a knowledge factor (something you know), an inherent factor (something you are), or a possession factor (something you have). Using a password and an SMS OTP as a factor is a combination of knowledge and possession factors; however, if you lose your phone, you should no longer be able to receive validation messages.
However, because we can now synchronize communications across multiple devices, you still have access to your accounts even if you have lost the device that should have been considered your second factor. This is considered insecure if you can forward text messages to your email – which may have an insecure password – or if you’re using a VoIP number that can be accessed on any device with or without a PIN code.
Social manipulation and deception
Unfortunately, SMS OTP is not the only form of authentication susceptible to phishing attacks based on social engineering. Less secure factors, such as passwords and security queries, are just as vulnerable. In a social engineering attack, a threat actor posing as an employee from a trusted service convinces you to divulge your account credentials and, in many instances, the SMS OTP sent to your device as well.
This is not an exhaustive list of the problems associated with using SMS OTP as a factor, but it should give you a sense of why it’s prudent to consider using stronger factors to secure your users and their data.
Few addtional context and reason refer this URL It’s Time to Hang Up on Phone Transports for Authentication – Microsoft Community Hub
Good Informative article.
one question on App Authenticator app.We have the dependency on Internet here sometimes if the net is low I have seen that code or approval is delayed and and as a result the login fails and the security key have some cost involved.I have seen people switching back to OTP because of this.Is there any other alternative ?
Very interesting article, this gives an interesting perspective on why Telephone-based multi-factor authentication is not good in a very common language so that people of all walks of life can understand