General
This check verifies if SMS is blocked as the 1st factor for authentication.
Rationale
Due to the risk of SIM swapping, SMS is considered an insecure authentication method. At most, it could be used as a 2nd factor, although it is safer to choose MFA push notifications or even passkeys.
Microsoft by default enables the option to use SMS as the 1st factor for authentication. This means that a user only needs to enter a phone number and a code received via SMS to authenticate. An attacker with access to an employee's phone or their phone number (via SIM-swapping) can easily gain access to the Microsoft environment, and therefore we recommend disabling this setting.
Attic Fix
A fix is available for this check! It will be offered through a ticket in Attic, which you can then accept.
Manual Instructions
Follow these steps to adjust the setting:
- Open the Microsoft Entra admin center: https://entra.microsoft.com
- Go to Security > Authentication Methods
- Click on SMS
- Uncheck Use for sign-in under All users: OFF
- Click on Save
Comments
0 comments
Please sign in to leave a comment.