Microsoft see 300 million fraudulent sign-in attempts EVERY DAY on their cloud services.  They say that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks.

What Microsoft Say:

“Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.

Google said the same thing in May

Back in May, Google said that users who added a recovery phone number to their accounts (and indirectly enabled SMS-based MFA) were also improving their account security.

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” Google said at the time.

When both Google and Microsoft are recommending the same thing, it’s probably a good time to start following their advice.

CTO recommend MFA not only for Microsoft & Google accounts but also for any other profile, on any other website or online service.  If your service provider supports multi-factor authentication, the CTO Team recommends using it, regardless if it’s something as simple as SMS-based one-time passwords, or advanced biometrics solutions.

Is my password not strong enough?

It might be, but the fact is that hackers have different methods to get their hands on your credentials.

  • Credentials from breached sites can be purchased easily.  Lots of people re-use passwords, so re-trying credentials on other services is obvious.
  • Common passwords account for many breaches.  Password123, Welcome!23, LetMeIn…  You are asking for trouble.
  • Keystroke logging is common practice for hackers who manage to infect your computer with malware.
  • Brute Force attempts on open ports that are not effectively protected by firewalls allow hackers to spend weeks, months & years just trying to get in.
  • Phishing emails can send unsuspecting end users to “pretend” sites to confirm their credentials.  The credentials get recorded straight into the hackers hands.

In most cases, an end user gives up their password unknowingly.  So it doesn’t really matter how strong it is anymore (though we’d still recommend you stay away from common passwords above).

With over 300 million fraudulent sign-in attempts targeting Microsoft cloud services every day, Weinert says that enabling a multi-factor authentication solutions blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password.  The 0.1% number accounts for more sophisticated attacks that use technical solutions for capturing MFA tokens, but these attacks are still very rare when compared to the daily hum of credential stuffing botnets.

What’s the Difference Between 2FA and MFA?

You see, all 2FA are MFA, but not all MFA are 2FA! Let’s take a closer look:

What is Two-Factor Authentication (2FA)?

2FA combines something you know, like a password, with something you have, such as a mobile phone. 2FA obliges you use both elements to authenticate your identity.

What is Multi-Factor Authentication (MFA)?

MFA takes this one step further by combining something you know, something you have, and something that is unique to your physical being — like your retina or fingerprint. You need all of them to authenticate your identity.  Technically the ‘multi’ in MFA refers to more than one factor. So in this sense, MFA could have two factors, three factors, four factors…or more.