Microsoft: 2-factor authentication blocks 99.9% of account attacks effectively
What is the best protection against attacks on accounts? Microsoft believes that it is 2-factor authentication, and the company has stats to back it up. Microsoft says that 2-factor authentication, sometimes also called two-step verification or multi-factor authentication, blocks 99.9% of automated attacks.
Microsoft notices over 300 million fraudulent sign-in attempts every day to company cloud services, 167 million daily malware attacks, and over 4000 daily ransomware attacks against organizations.
The most effective form of protection against automated attacks is to enable multi-factor authentication if the service supports it according to Microsoft. Not all services do but if it is supported, users should enable it to protect their accounts against the majority of attacks automatically says Microsoft.
We have published several guides in the past that walk you through the steps of setting up two-factor authentication for certain services. Here is a short selection:
- Configure Two-Step Authentication for Firefox Accounts
- Facebook Login Approvals, Optional Two-Factor Authentication
- Finally: Two-Factor Authentication coming to Microsoft accounts
- GitHub introduces 2-factor login authentication
- How to enable two-factor authentication on Instagram
- Protect your WordPress blog with two-factor authentication
- Report: Twitter to improve security with two-factor authentication
Last month, Group Program Manager for Identity Security and Protection at Microsoft Alex Weinert, published an article on Microsoft's Tech Community website in which he concluded that passwords alone do not matter anymore.
He provided a list of common attack types, their frequency and difficulty, how users might assist attackers, and whether the password mattered. Passwords don't matter in most of them according to Weinert's analysis.
Take phishing attacks as an example: difficulty is easy according to the table as it requires sending out emails to an email list that may look like they come from respected organizations, may provide entertainment, or make the recipient curious. Tools are readily available and users fall for this even today. The password plays no role but it may be stolen by the attacker in the process depending on the attack.
Does that mean that it does not really matter which password you select? Weinert believes that secure passwords are still relevant as they block certain attack types such as brute forcing. Adding multi-factor authentication to the mix improves the protection significantly as attackers won't be able to sign-in to the service as they will fail to pass the two-factor authentication screen. Passwords may also still play a role as attackers may try to sign-in to other services using them.
Microsoft's intention is not entirely altruistic. The company started to push what it calls passwordless authentication solutions some time ago. You can download a whitepaper from the linked website which offers additional reasoning why passwords are no longer enough to keep account secure as well as a list of solutions that Microsoft created.
Now You: what is your take on Microsoft's analysis and multi-factor authentication? (via ZDNet)
If you don’t use MFA with services that offer it, then if a hacker gets access to your account, then they may be able to enable MFA and lock you out, permanently.
https://krebsonsecurity.com/2020/06/turn-on-mfa-before-crooks-do-it-for-you
An interesting read on this topic: https://infosec-handbook.eu/blog/yubikey4c-nitrokeypro/
While M$ may have helped in part to develop (in concert with Yubico, and other reputable Security companies) it, all analysis has proven the webAuthn protocol, whether used as a first or second factor authentication method to be 100% immune to all social engineering attacks (phishing) regardless of the user’s stupidity, as well as 100% immune to every method of attack taking place remotely. It doesn’t require any personal information to enact and is honestly a better option than a password and faster/simpler to use. Hopefully its adoption by all major online services will happen, perhaps sooner if M$ wasn’t promoting it thereby making its competitors (Google, Amazon, etc) refuse to offer it to their users (so far).
I hate dealing with OATH 2FA even having my secrets stored on a Yubikey as it’s annoying to have to do each login. I switched to webAuthn for every service I use that offers it and it’s the easiest thing in the world. Type username, hit Enter, touch blinking light on Yubikey, you’re logged in, done. Smooth as butter. I suppose putting every PW management service out of business all at once however is a good enough reason to NOT use such a flawless authentication method. Pff!
@ anon
What services did you find that accept this passwordless login ? what Yubikey do you use ?
Whether MS did a cursory look at the issue, dug deeper or just put out some numbers, IDK but over 467,000 successful attacks per day is not so good. One in a thousand is not good control over something they claim to understand.
Google, ebay and others want a phone number, no way. Occasionally, I have to enter a one time passcode to enter an account; if the request comes from anyone but a financial institution, the email that gets the code suddenly gets spammed relentlessly for weeks.
No rush here to give another attack vector to those claiming to protect us against attacks.
When someone asks for your phone number as part of 2FA, that is an attack on your privacy!
I had read the article by Weinert, and became immediately suspicious of it. I’m not an expert enough to say it with certainty, but I’m almost sure that the title is misleading to the point of being wrong.
“Your password does not matter” stinks clickbait to high heavens.
First of all, this is an article written for system administrators. The “99.9%” Microsoft article targets businesses. That’s completely different from the point of view of the individual user trying to secure his access to various Internet services.
There’s a question I’d like to ask : how much of that becomes wrong when you only use long, random and unique passwords handled by a password manager ? My guess would be : a whole lot.
And another thing : when you’re a manager in a company, you have to assume stupidity. Statistically, it’s a given that out of 100 % of your employees, there will be a portion of them with bad password hygiene, clicking on phishing links, etc. So you need to protect against that.
A tech blog such as this addresses individual users who make their own decisions — not to mention that their tech level is somewhat higher than average.
Finally, the Microsoft study and articles aim at allowing 2FA, or even making it compulsory for their own employees’ access. They don’t only address public access to the company’s website. And it’s a policy move. Microsoft wants to push companies in a certain direction. Which includes passwordless access. This is not meant to happen overnight.
That being said, I just activated 2FA for some of my accounts for the first time. I did it with Kee Pass and its Kee OTP plugin.
My advice, when providing recommendations about 2FA to individual users, would be :
1. Stop the simplistic propaganda. Don’t tell people they absolutely must do 2FA right now, and everything will be so much better.
2. 2FA is hard. It’s complex. It’s incredibly difficult to understand — no comparison with the concept of a password. It’s also not standard. There are a hundred different implementations. A password is a password. It works with pen and paper. People used passwords two thousand years ago.
3. As a result of being difficult to understand, 2FA is dangerous. Incredibly so. It’s very easy to get locked out of your accounts when something goes wrong, and then recovery is very difficult. 2FA is mostly done through smartphones, an appliance which is easily lost, stolen, broken or swapped.
4. Advice n°1 would be : don’t rush it. Don’t activate 2FA because it’s the cool thing to do and everybody tells you so. Take the time to understand how it works, and chose your own implementation. Most 2FA articles lack hugely important pieces of information.
5. Advice n°2 would be : backup everything, multiple times. The secret keys for each site. The equivalent QR codes. The recovery codes many 2FA-enabled sites will give you. Even the physical devices used for 2FA, if possible (link two phones to each site, a phone and a tablet, etc).
6. Advice n°3 would be : aim for usability and simplicity. Usability and simplicity are part of security. It’s only safe if it’s a no-brainer.
> Clairvaux: “2FA is dangerous. Incredibly so. It’s very easy to get locked out of your accounts when something goes wrong, and then recovery is very difficult. 2FA is mostly done through smartphones, an appliance which is easily lost, stolen, broken or swapped.”
Incidentally, I am locked out of my Gmail account, because my ISP assigns me dynamic IP addresses, & Google has decided to that I am trying to break into my own email account — despite me supplying the correct (complicated password), & despite my IP address remaining in the same geographic range as my most recent login.
I supplied my recovery email address that is registered with my Gmail account for the temporary passcode, but Google refuses to send the passcode, instead insisting on a phone number for SMS 2FA.
The Gmail account was set up 10 years ago without any phone no. Moreover, I have neither a mobile plan, nor any smartphone to install whatever authentication app. And even if I were to possess a mobile no., I’m not interested to give it to Google (or any other entity like Microsoft or Facebook).
I recently also came across Gmail users who got locked out, because they had relocated to another country for work & thus can’t access their old mobile no. registered with the email account. And guess what … Google forum’s community advisers told the affected users that the only way to recover their Gmail accounts is to move back to the home country & get the 2FA SMS from there !
> Business email compromise, where an attacker gains access to a corporate email account, such as through phishing or spoofing, and uses it to exploit the system and steal money. Accounts that are protected with only a password are easy targets.
> Password reuse, […] Considering that up to 73 percent of passwords are duplicates, this has been a successful strategy for many attackers and it’s easy to do.
According to the article two of the most common vulnerabilities are directly related with the fact that people choose weak passwords; and of course from there once inside the organization it becomes easier for the attacker to steal information…
This study is completely missing the point: passwords are supposed to be strong! The solution is simply to use a password manager and use unique password, it takes a couple of clicks and you’re done. I’m not suggesting that 2FA is a bad idea, on the contrary is an excellent security mechanism… but as pointed out we have to hand over more data to companies that have proven themselves incapable of handling that data responsably. Do you see the irony here?
Giving on going progress of attack on authentication, additional parameter can also be combined into play on authentication process such as require additional factor as mandatory process of the authentication. These additional parameter are ‘new’:
-location
-device-used/browser-ID.
So the design of authentication should understand the nature human and smart enough to authenticate ‘not-in-complex-way’.
Where new location or new device-used/browser-ID was used and detected during authentication then it is mandatory to prompt additional authentication factor into play.
The authentication server shall prompt for additional code-signing with these variant as per user’s choices:
-send code via sms
-send approve button via email
-approve button via trusted-device
-prompting biometric’s factor to camera to proceed
My theory prompting biometric’s factor to camera to proceed become the most secure to proceed regardless spoofing attack. Two biometric factor come into play are:
-Face
-Finger
Earlier this year the 2-factor authentication was bypassed by hackers by ease. No, it is NOT safe !
Yes, app-based 2FA has been breached at least once, but this was a targeted attack, probably by an Iranian intelligence agency. User Joe Blow is never going to be targeted by such an attack.
There’s no such thing as safe / unsafe. Security is not a black and white thing. It’s completely unserious to say you should not use app-based 2FA because of this.
That being said, only a hardware key will completely protect you against phishing. However, sites which offer this are much rarer than those which offer app-based 2FA — which, themselves, are few and far apart.
It’s all fine and dandy saying you should not use app-based 2FA because it’s not 100 % secure, but if the site you need to protect only offers this, and not hardware-based 2FA, following such a piece of advice actually degrades security.
> Clairvaux: “only a hardware key will completely protect you against phishing […] It’s all fine and dandy saying you should not use app-based 2FA because it’s not 100 % secure, if the site you need to protect only offers this, and not hardware-based 2FA, following such a piece of advice actually degrades security.”
I use a hardware token for online banking authentication — supposedly the most secure method, right ?
Yet there are some online banking options (eg. change ATM withdrawal limits) that I’m not allowed to access by using my hardware token. Instead, the bank insists on either a mobile number (for SMS 2FA), or smartphone app-based 2FA — both of which are less secure than hardware-based authentication.
What’s the warped reasoning behind this ? To chase whatever that’s trendy ? Or that I can’t be the genuine account-holder (or even a real human), because I use hardware-based authentication ?
So M$ is lying when it says 99.9% . . .?
@vip Would be easier to say when MS is not lying. Google and Apple too, for that matter.
Link? I need to read it myself.
@D:
I assume that stefann is referring to the GMail & Yahoo breaches: https://www.hackread.com/hackers-bypassed-gmail-yahoos-2fa-to-target-us-officials/
The thing about those breaches is that they were successful phishing attacks. No security approach can be effective when users are tricked into revealing credentials.
Even ignoring social engineering attacks, it’s certainly true that MFA doesn’t provide 100% security — literally nothing does. Perfect security is objectively impossible, which is why the first rule of security (online or otherwise) is “if a thing can be accessed legitimately, it can be accessed illegitimately.” The only question is how much time and effort is required.
That said, MFA provides stronger security than other schemes that people are willing to tolerate. In my opinion, passwords, properly done and managed, can be better — but almost nobody is willing to do them properly. So, for the average person, MFA really is a large improvement.
Secure services do not require such a cumbersome nonsense and simply block access after a few failed attempts. Apparently, Microsoft does not offer secure services.
I think a long random password that is used for only 1 service is better than most current forms of two-factor authentication.
Two-factor authentication that sends a code via sms to your phone is not secure due to ‘sim swap fraude’ and you have to give them your phonenr.
The code can be sent to authenticator mobile app, but then you have to give them info about your phone (often your phonenr), and most Android phones are not secure and Apple phones are too expensive for most people.
The code can be sent to one of your email addresses, but not all services do this. Some demand the code is sent to your phone or authenticator mobile app.
If we lived in a world where we could trust companies enough to give them our phonenrs or use apps on their phones without fear of our private data being abused or stolen, it may have been a different story.
Another big problem with two-factor authentication is the trouble you get into if your phone or yubikey is lost or stolen. You may lose access to your data for a long time or even forever.
The big problem with using just a long random password, if that a hacker only needs to get that password to get to your data.
So we need a better solution that what we have now.
I do not think biometrics is the answer. Biometrics is not accurate enough to work all the time and has been spoofed, and you can lose you fingers, face, eyes or voice to accidents, disease, or violence.
Giving big tech companies that spy on you, your biometric data (face, voice, fingerprint) is a big risk. Changing your password is much easier than changing the biometrics of your body.
@Sunny: “Another big problem with two-factor authentication is the trouble you get into if your phone or yubikey is lost or stolen. You may lose access to your data for a long time or even forever.”
This isn’t really a problem with dongles like the Yubikey (or phone-based, for that matter, although I don’t think that sort of MFA is a good idea for the reasons you state).
All MFA implementations that I am familiar with provide one or more text-based codes that are intended for you to save somewhere safe (preferably not on a computer) so that you can still get access if you lose the device. You will be able to get back in quickly, and revoke the ability to use the lost device as the second factor.
Multifactor authentication is a great idea.
But, personally, the only type I’m OK with is token-based, like the Yubikey. I’m not OK with MFA that requires supplying additional identifying data (such as phone numbers) to companies like Microsoft, Facebook, Google, etc.
for me…. the idea I would ever give my phone number or any stuff like to any of these American companies or any other for this purpose ….is absolutely hilarious…