Is AAD Password-less SMS authentication considered MFA? And Secure?

Question

Last month Password-less AAD SMS Authentication was released to Public Preview.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-sms-signin

Is this considered MFA? MFA is typically considered at least two of "Something you have/are/know", but in this case it seems to only be "Something you have"?

Also, how safe is password-less SMS authentication? SMS might not be very easy to spoof from a great distance, but they aren't encrypted either.

In contrast with the Authenticator app which is both encrypted and the password-less authentication require the app (something you have) and a Pin (something you know) or a Biometric (something you are).

At the moment this is limited not to work with Native Office apps, but hopefully that will be remedied, in which case it will be a great complement in the battle for those resisting MFA.

Answer 1

No, SMS login is not multifactor, and you will note that nowhere in that article is it called that. SMS auth is single factor. The article states that:

SMS-based authentication isn't currently compatible with Azure Multi-Factor Authentication.

Which implies that eventually you will be able to use this with MFA.

SMS is inherently less safe than something like the authenticator app, and so if this is a concern you can look at using that, however if simplicity and reaching the broadest set of users then this could be a useful tool.