Using Multi-Factor Authentication Blocks 99.9% of Account Takeover Attacks
It was big news in late August when Microsoft said that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks. This doesn’t apply just to Microsoft accounts. It applies to any other account on any website or online service.
Today, virtually all service providers support multi-factor authentication, and in most cases, there is no charge. It can be something as simple as SMS-based one-time passwords or advanced biometrics solutions.
“Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.
Weinert said that old advice like “never use a password that has ever been seen in a breach” or “use really long passwords” doesn’t really help.
Weinert should know – his credentials are impressive. He was one of the Microsoft engineers who worked to ban passwords that became part of public breach lists from Microsoft’s Account and Azure AD systems back in 2016. As a result of his work, Microsoft users who were using or tried to use a password that was compromised in a previous data breach were told to change their credentials. These days, many providers will not allow to use a password that is known to have been compromised. So much for the ever-popular “123456.”
However, Weinert said that despite blocking leaked credentials or simplistic passwords, hackers continued to compromise Microsoft accounts. Why? Because today’s passwords or their complexity don’t really matter anymore. Hackers have many different methods that they use to get users’ credentials.
With over 300 million fraudulent sign-in attempts targeting Microsoft cloud services every day, Weinert says that enabling a multi-factor authentication solution blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password. Now that’s impressive.
The 0.1% number accounts for more sophisticated attacks that use technical solutions for capturing MFA tokens, but these attacks are still extremely rare compared to the daily grinding of credential stuffing botnets. What most lawyers fail to realize is how automated these attacks have become.
Microsoft’s claim that using MFA blocks 99.9% of automated account takeover (ATO) attacks isn’t the first of its kind. In May, Google said that users who added a recovery phone number to their accounts (and thus indirectly enabled SMS-based MFA) were also improving their account security.
“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” Google said at the time.
We get it – lawyers perennially want convenience over security – they are loathe to spend a previous few seconds enabling a second layer of security. We believe that many lawyers think they will have to employ multi-factor authentication every time they log in somewhere. Not necessarily true. In most cases, you can request that your provider remember your device (phone, laptop, etc.). It is only when someone tries to log on from an unknown device that you would, for instance, have to enter a code texted to your phone.
Think about it. If an unknown device is trying to access one of your accounts, you want very much to know about that and have a method of stopping it. That’s what MFA gives you – peace of mind.
And consider this: When both Google and Microsoft are recommending the same thing, it’s probably a good time to start following their advice.
I’ve found that most services only ask me to authenticate when I’m coming from an unexpected device, and then confirm in email later that it was really you that authenticated.
The latter is necessary (and very handy!) when the site uses SMS, as anyone can get a number from a site like https://receive-smss.com/ or eavesdrop on, for example, your children, with a free text-message interceptor like https://xyspy.com/
I mildly recommend the Google Authenticator I use on my phone, as it only takes two taps to get a one-time code for a service.
In reply to David’s comment, many of those SMS number sites like receive-smss.com are actively blocked by companies because they can identify VOIP numbers. I used a site called quackr.io and was able to bypass SMS verification using it.