Ride the Lightning

Use Multi-Factor Authentication – It Blocks 99.9% of Account Takeover Attacks

August 28, 2019

ZDNet published a post on August 27, noting that Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks.

The recommendation applies not only to Microsoft accounts but also to any other profile, on any other website or online service.

If the service provider supports multi-factor authentication, Microsoft recommends using it, regardless if it's something as simple as SMS-based one-time passwords, or advanced biometrics solutions.

"Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA," said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.

Weinert said that old advice like "never use a password that has ever been seen in a breach" or "use really long passwords" doesn't really help.

Weinert was one of the Microsoft engineers who worked to ban passwords that became part of public breach lists from Microsoft's Account and Azure AD systems back in 2016. As a result of his work, Microsoft users who were using or tried to use a password that was leaked in a previous data breach were told to change their credentials.

But Weinert said that despite blocking leaked credentials or simplistic passwords, hackers continued to compromise Microsoft accounts.

He attributed this to the fact that passwords or their complexity don't really matter anymore. Nowadays, hackers have different methods at their disposal to get users' credentials. Read the post to understand the methods being used.

With over 300 million fraudulent sign-in attempts targeting Microsoft cloud services every day, Weinert says that enabling a multi-factor authentication solution blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user's current password.

The 0.1% number accounts for more sophisticated attacks that use technical solutions for capturing MFA tokens, but these attacks are still very rare when compared to the daily grinding of credential stuffing botnets.

Microsoft's claim that using MFA blocks 99.9% of automated account takeover (ATO) attacks isn't the first of its kind. Back in May, Google said that users who added a recovery phone number to their accounts (and indirectly enabled SMS-based MFA) were also improving their account security.

"Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation," Google said at the time.

When both Google and Microsoft are recommending the same thing, it's probably a good time to start following their advice.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson