SMS multifactor authentication not enough?

spiceuser-3xom2 · 2023-08-08T12:46:14.000Z

So we started enforcing MFA on all our office 365 accounts last week. For the most part, people are using the SMS option. Even after setting up their SMS, office tried to push the authenticator app when they logged in but there was always a button below to skip it. Someone’s account this morning had no way to skip it though. No matter what I did, after they put in their text code it would still make them download an authenticator. I finally bypassed this by deleting their MFA details and re-entering it, but after setting the SMS again, it still made me create some app password that I believe will cause problems with future log ons. Looking at their account I still see their phone number as the only MFA but I’m afraid if I will have to go through all this again when they log out. Did microsoft change something over the weekend, or is there something I can look at on why they couldn’t bypass the authenticator download and set up? This is the first case of this I’ve seen out of at least 70 we’ve set up on MFA.

This was all done in the browser, I think it was chrome but could be wrong.

edrubin1718 · 2023-08-08T13:21:05.000Z

Have you enabled 365 Security Defaults? My recollection is that setting forces Authenticator on everyone which is why we leave it turned off so it doesn’t hose service and device accounts. There are also some options in Azure AD administration or whatever it’s called this week that set acceptable authentication methods at per user, per group and org level. FWIW SMS has become hackable so authenticator apps are genuinely safer.

mike-crowley · 2023-08-08T13:57:54.000Z

Did microsoft change something

Yes, you can only skip 3 times now, as mentioned in this post from a few weeks back:

TECHCOMMUNITY.MICROSOFT.COM

Advancing Modern Strong Authentication

Making it even easier for users to use more modern secure strong authentication methods.

There is additional discussion here:

Sign-in to 365 forces to use ms authenticator instead of SMS or call Cloud Computing & SaaS

We have been using 365 mfa for the some years now in my organization but as of last month there are some users that were asked to use ms authenticator app, after they provided the extra password they have been sent via sms on their phones, with no other option available(sms or phone call). The message says: “Improve your sign-ins: Better guard your account with the microsoft authenticator app. Prove who you are easily through push notifications.” I’m aware that ms is trying to push users to u…

foo · 2023-08-08T14:27:50.000Z

BTW, I would think hard about the SMS option. It puts a critical factor of your security under someone else’s oversite.
Yes still very common and in use everywhere, but not really a secure method anymore, as the stakes have been raised.

Exempli Gratia: We not so long ago had an incident where the threat actor abused a trust relationship with a known contact (who had themselves been compromised) to gain control over a users’ personal phone at one of our locations. Compromised person sent “funny haha” type message, second user followed link to compromise. Messages deleted form sender device to not alert they had sent an attack to anyone. (verified by investigation, and victim one’s phone records)

Then used that to further steal the identity of our user. They sent the SMS message, message was received, viewed and used, then deleted from user’s device (Verified by sign-in logs and users phone bill). All done in the middle of the night while user was completely unaware.

Internally we use Yubikeys which can easily be configured to work with Office 365 without a third party identity provider.
That requires physical interaction and human accountability. Yubi is not the only player, there are several other HW tokens out there.

Though it sounds like CIA cloak and dagger, nothing is perfect talk… Remember a fair lot of BEC falls into two categories, negligence (user supplied credentials with no MFA, poor security controls, etc), or very targeted. The targeted attacks most often come from talented attackers with goals. In the case above, the compromised users were at a conference at the same time, same purpose, and the attackers were playing the field AT that conference. When we blew the whistle on that to other known contacts there and event organizers, come to find out, several others were hit in similar fashion

The targeted can get very deep very fast, with huge compendiums of user data on allowing for strategic success through degrees of separation if not direct.

Mobile devices are the bulk of the modern internet as far as access goes https://www.statista.com/statistics/277125/share-of-website-traffic-coming-from-mobile-devices/
So it is not uncommon for modern data breached to start with the mobile device and then spread from there, such as “we have the phone, lets go get the email.”, instead of “We have the email, can we get the phone?”

Granted it is better than nothing, and lessens the attack surface significantly.
But the future of MFA is not SMS anymore for sure.

kevinhsieh · 2023-08-08T15:21:40.000Z

Welcome to the community!

jascot · 2025-07-07T14:21:34.057Z

I wanted to share my experience since I encountered a similar issue with MFA. After setting up SMS for several users, one user couldn’t skip the authenticator prompt either, despite having everything configured correctly. I followed a similar process by removing and re-entering MFA details, but they were still prompted to create an app password, which added unnecessary complexity.

It feels like something might have changed on Microsoft’s end, as this hasn’t happened to others.

mibright · 2025-07-10T17:33:36.168Z

Same here. Set up SMS MFA for dozens of users, but one got stuck in a loop requiring the Authenticator app and an app password. It definitely feels like Microsoft changed something recently. We’ve started looking into Clerk Chat as an alternative for internal messaging and identity workflows. From what I read and heard, it might simplify some of this MFA mess.