“It looks like you’re at risk of being hacked. Would you like to start using multi-factor authentication?”
Yes, this might be a fictional prompt from a long-abandoned Clippy, but maybe the digital assistant needs to step in—because only 28% of Microsoft users were using multi-factor authentication (MFA) as of December 2022.
In fact, according to a blog post from Microsoft’s VP of identity security, Alex Weinert, 99.9% of user accounts that are compromised don’t have MFA authorized. Hackers launch thousands of password attacks every second against Microsoft systems, targeting users who aren’t protected by MFA.
“Multi-factor authentication is one of the most basic defenses against identity attacks today,” Weinert wrote, adding that the 28% adoption rate was confounding and had the expected reaction from hackers: “With such low coverage, attackers increase their attack rate to get what they want.”
The difference in numbers is stark: Where those unprotected by MFA see thousands of attacks per second, users with the security measure experience a relatively low amount of tens of thousands of attacks per month. Weinert said he recommends Microsoft users take steps to protect themselves beyond simply any multi-factor authentication and use products like Microsoft Authenticator, Windows Hello, and FIDO.
Feeling sleepy. But as IT Brew reported last year, MFA fatigue—where attackers find a password and send request after request to a user’s device in hopes they’ll finally give up and give the go-ahead—works with Authenticator as well.
“What Microsoft did was [try] to make it as simple as possible. They made it too simple,” SANS Institute Director Lance Spitzner said. “That’s what bad guys are taking advantage of.”
The future is likely to focus less on passwords and more on biometrics and codes. For now, though, MFA is the best way to ensure security for the vast majority of users: It’s easy to use, makes intuitive sense, and is set up across multiple companies and the internet.
That makes the resistance to using it from more than 70% of Microsoft users so confounding—especially as the nature of MFA itself is changing, Weinert wrote.
“Old-fashioned, bolt-on multi-factor authentication was clunky, requiring copying codes from phone to computer and getting multiple prompts,” Weinert wrote. “Modern multi-factor authentication using apps, tokens, or the device itself is very low friction or even invisible to the users.”
