Microsoft Claims That 99.9% of All Account Hacks Can Be Prevented by Adding MFA
Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is not (and will never be) perfect. Motivated cybercriminals have already developed a variety of different tools and techniques that help them bypass 2FA, and they have used them in real-world attacks. Every other day, we read about how OTP codes can be phished and about how mediums like email and SMS don't provide the security required for transmitting this sort of information. Even specialized apps like Google Authenticator are not immune to successful attacks, which makes many doubt the additional security provided by 2FA. In a presentation during last month's RSA Conference in San Francisco, Alex Weinert, Microsoft's Director of Identity Security, brought out some statistics which show just how irrelevant these fears can be.
Almost all compromised enterprise accounts don't use MFA
The figures Weinert showcased regarded enterprise users of Azure AD, Microsoft's identity and access management system, and they act as proof (as if proof was needed) that business cloud-based accounts get compromised all the time. During the month of January alone, Microsoft detected successful attacks against no fewer than 1.2 million accounts. According to Weinert, this represents 0.5% of all users, which might not sound like much, but when you consider that these are the monthly stats only, things start to look a bit more worrying. What's even scarier, however, is the apparent preventability of all these attacks.
A whopping 99.9% of all successfully compromised accounts were not protected by MFA., which really goes to show how badly misplaced the focus can be sometimes. While people are failing to turn on Multi-Factor Authentication because they worry that a motivated attacker can steal their temporary codes, the attackers themselves are breaking into accounts without the need for such codes at all. It's clear that adoption rates are still low, and although security researchers who discover flaws in 2FA systems do it for the greater good of everybody, by pointing out the weaknesses, they are inadvertently deterring people away from the feature. It must be said that this is not the only problem.
Legacy authentication protocols and poor password management also help hackers
We mustn't forget that we're talking about business accounts, which immediately makes things a lot more complicated. As Microsoft pointed out, often, MFA is not even an option for users.
According to the world's most popular OS vendor, the vast majority of account takeover attacks are aimed at organizations that use what Microsoft calls "legacy authentication." These organizations have built their entire IT infrastructures around old protocols that don't allow 2FA at all. Clearly, the attackers know how weak these protocols can be, and they won't shy away from taking advantage of this fact. Unfortunately, switching to a more modern and secure authentication system often involves a lot of work and downtime that companies simply can't afford, which means that users are never given a chance to use two-factor authentication. This shouldn't be an excuse for their poor account security, though.
Alex Weinert said in his presentation that hackers used password spraying to hack into about 40% of January's compromised accounts. In a password spraying attack, the cybercriminals use a relatively short list of commonly used passwords and try them against a wider range of usernames. Because many people tend to use common, easy-to-guess passwords, the attacks are often successful.
Another 40% of the 1.2 million accounts that were broken into during the first month of the year fell victim to breach replay attacks. Breach replay is apparently Microsoft's term for credential stuffing – an attack during which hackers use usernames and passwords stolen from one online service to open accounts at multiple other websites. Once again, people's negligent attitude towards their accounts' security and their tendency to reuse passwords make the attack highly successful.
In theory, preventing account takeover attacks in a corporate environment is a relatively simple job, but the fact of the matter is, there are quite a few factors at play. The discovery of vulnerabilities cast doubt around the efficiency of 2FA, which, coupled with the fact that the feature is not available in all corporate systems, results in poor adoption figures.
To really improve the state of affairs, people must realize how important proper password management is. Companies and service providers must do everything they can to ensure that the extra security provided by 2FA is available at all times, and users should come to terms with the fact that while it's not a panacea, this simple feature can often make the difference between a compromised account and a secure one.