Your company's cloud CRM currently relies on usernames and passwords. Management wants an inexpensive second factor that can reach users even if they only have a desk phone or a basic mobile. You enable the service to place an automated voice call that reads a six-digit code which the user must type in before access is granted. From a security perspective, what is the main weakness of using a voice call as the second factor compared with other MFA options?
Calls travel across untrusted telephone networks, so the code can be intercepted or redirected by spoofing or call-forwarding attacks.
The code is generated locally by a time-based secret, so it cannot be intercepted but requires periodic resynchronization.
Security depends on a tamper-resistant hardware token, making it unsuitable for users without USB ports.
It relies on the FIDO2 standard, which exposes public keys that can be copied during transit.
Voice-call one-time codes are delivered over the public switched telephone network or VoIP services that the organization does not control. Attackers can redirect or spoof calls through number-porting, SIM-swap, or VoIP manipulation, intercepting the code without having the user's device. Hardware tokens and TOTP apps generate the secret locally and aren't dependent on a potentially compromised phone line, while FIDO2 relies on public-key cryptography and does not transmit secrets at all.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are SIM-swap attacks and how do they affect voice call-based MFA?
Open an interactive chat with Bash
Why is public-key cryptography used in FIDO2 more secure than voice call-based MFA?
Open an interactive chat with Bash
What alternatives to voice call-based MFA are less susceptible to interception?