Knowledge base

November 26, 2025

Why SMS and Voice MFA make your organization vulnerable

 

Multi-Factor Authentication (MFA) has become essential for securing modern IT environments. Yet many organizations still use outdated methods such as SMS, voice calls or e-mail. This makes accounts vulnerable to attackers.

Microsoft 365 Copilot Business – AI with Governance Grip

Why MFA is important

MFA adds an extra layer to your login process. In addition to username and password, you need to authenticate something extra: a code, a physical key or biometrics. But not every form of MFA is secure.

In Microsoft Entra ID, methods such as SMS, voice or e-mail are enabled by default. They seem convenient, but are vulnerable to targeted attacks. And once an attacker is in, that access can register as “legitimate” – and go undetected for months.

 

What makes SMS, voice and e-mail MFA unsafe?

Attackers often use this sequence:

  1. Reconnaissance
    They find out if your organization is using weak MFA methods, via social engineering or scanning.

  2. Access
    Using phishing, password spraying or credential stuffing, they collect login credentials.

  3. Second factor bypassing

    • SMS: via SIM swapping, SS7 vulnerabilities or malware

    • Voice: via vishing or forwarding

    • E-mail: via phishing or mailbox access

  4. Building Persistence
    They register their own MFA method of maintaining access.

  5. Lateral movement and escalation
    They use access to penetrate other accounts or systems.

  6. Doing damage
    Think data exfiltration, privilege escalation, and disruption of services – all without alarm bells because everything looks “legitimate” in the logs.

 

What are better alternatives?

Strong MFA methods include:

  • Authenticator apps (e.g., Microsoft or Google Authenticator)

  • FIDO2 security keys (such as YubiKey)

  • Biometric authentication (fingerprint, facial recognition)

These methods are more resistant to phishing and cannot be easily intercepted or mimicked.

 

What can you do in Microsoft Entra?

  1. Disable weak methods in your authentication policies

  2. Migrate to strong methods through a phased approach

  3. Train your users on secure login practices

  4. Actively monitor anomalous login behavior

 

Common mistakes

  • Thinking that “MFA = safe,” regardless of method

  • Not having visibility into which methods are enabled

  • Letting users choose convenience, without policy

  • Do not perform logging or review of logins

 

Conclusion

Weak MFA is not an MFA. It is false security. And it is actively exploited by cybercriminals.

Strong authentication is the standard for Zero Trust in 2025. And the foundation for any organization serious about protecting its people and data.

Time for a realist check: what MFA methods are still active in your organization?

Want to know more?

Get in touch
Wit ALTA-ICT logo op paarse achtergrond met 3D schild en slot, tekst over MFA-beveiliging onderaan

Related
blogs

Wit ALTA-ICT logo op paarse achtergrond met 3D schild en slot, tekst over MFA-beveiliging onderaan
November 26, 2025

Why SMS and Voice MFA make your organization vulnerable

Read more
Paarse afbeelding met AI-kubus, Microsoft 365 Copilot tekst en ALTA-ICT en M365 logo’s
November 20, 2025

Microsoft 365 Copilot Business – AI with Governance Grip

Read more
security awareness is gedrag geen checkbox
November 19, 2025

Security Awareness – Behavior as Fundamentals

Read more
November 18, 2025

Document sets in SharePoint – Smarter document management

Read more

Tech Updates: Microsoft 365, Azure, Cybersecurity & AI – Wekelijks in je Mailbox.