Microsoft: 2-factor authentication blocks 99.9% of account attacks effectively
What is the best protection against attacks on accounts? Microsoft believes that it is 2-factor authentication, and the company has stats to back it up. Microsoft says that 2-factor authentication, sometimes also called two-step verification or multi-factor authentication, blocks 99.9% of automated attacks.
Microsoft notices over 300 million fraudulent sign-in attempts every day to company cloud services, 167 million daily malware attacks, and over 4000 daily ransomware attacks against organizations.
The most effective form of protection against automated attacks is to enable multi-factor authentication if the service supports it according to Microsoft. Not all services do but if it is supported, users should enable it to protect their accounts against the majority of attacks automatically says Microsoft.
We have published several guides in the past that walk you through the steps of setting up two-factor authentication for certain services. Here is a short selection:
- Configure Two-Step Authentication for Firefox Accounts
- Facebook Login Approvals, Optional Two-Factor Authentication
- Finally: Two-Factor Authentication coming to Microsoft accounts
- GitHub introduces 2-factor login authentication
- How to enable two-factor authentication on Instagram
- Protect your WordPress blog with two-factor authentication
- Report: Twitter to improve security with two-factor authentication
Last month, Group Program Manager for Identity Security and Protection at Microsoft Alex Weinert, published an article on Microsoft's Tech Community website in which he concluded that passwords alone do not matter anymore.
He provided a list of common attack types, their frequency and difficulty, how users might assist attackers, and whether the password mattered. Passwords don't matter in most of them according to Weinert's analysis.
Take phishing attacks as an example: difficulty is easy according to the table as it requires sending out emails to an email list that may look like they come from respected organizations, may provide entertainment, or make the recipient curious. Tools are readily available and users fall for this even today. The password plays no role but it may be stolen by the attacker in the process depending on the attack.
Does that mean that it does not really matter which password you select? Weinert believes that secure passwords are still relevant as they block certain attack types such as brute forcing. Adding multi-factor authentication to the mix improves the protection significantly as attackers won't be able to sign-in to the service as they will fail to pass the two-factor authentication screen. Passwords may also still play a role as attackers may try to sign-in to other services using them.
Microsoft's intention is not entirely altruistic. The company started to push what it calls passwordless authentication solutions some time ago. You can download a whitepaper from the linked website which offers additional reasoning why passwords are no longer enough to keep account secure as well as a list of solutions that Microsoft created.
Now You: what is your take on Microsoft's analysis and multi-factor authentication? (via ZDNet)Advertisement