Microsoft: 2-factor authentication blocks 99.9% of account attacks effectively

[Karlston]

Microsoft: 2-factor authentication blocks 99.9% of account attacks effectively

What is the best protection against attacks on accounts? Microsoft believes that it is 2-factor authentication, and the company has stats to back it up. Microsoft says that 2-factor authentication, sometimes also called two-step verification or multi-factor authentication, blocks 99.9% of automated attacks.

 

Microsoft notices over 300 million fraudulent sign-in attempts every day to company cloud services, 167 million daily malware attacks, and over 4000 daily ransomware attacks against organizations.

 

 

The most effective form of protection against automated attacks is to enable multi-factor authentication if the service supports it according to Microsoft. Not all services do but if it is supported, users should enable it to protect their accounts against the majority of attacks automatically says Microsoft.

 

We have published several guides in the past that walk you through the steps of setting up two-factor authentication for certain services. Here is a short selection:

• Configure Two-Step Authentication for Firefox Accounts
• Facebook Login Approvals, Optional Two-Factor Authentication
• Finally: Two-Factor Authentication coming to Microsoft accounts
• GitHub introduces 2-factor login authentication
• How to enable two-factor authentication on Instagram
• Protect your WordPress blog with two-factor authentication
• Report: Twitter to improve security with two-factor authentication

Last month, Group Program Manager for Identity Security and Protection at Microsoft Alex Weinert, published an article on Microsoft's Tech Community website in which he concluded that passwords alone do not matter anymore.

 

He provided a list of common attack types, their frequency and difficulty, how users might assist attackers, and whether the password mattered. Passwords don't matter in most of them according to Weinert's analysis.

 

Take phishing attacks as an example: difficulty is easy according to the table as it requires sending out emails to an email list that may look like they come from respected organizations, may provide entertainment, or make the recipient curious. Tools are readily available and users fall for this even today. The password plays no role but it may be stolen by the attacker in the process depending on the attack.

 

Does that mean that it does not really matter which password you select? Weinert believes that secure passwords are still relevant as they block certain attack types such as brute forcing. Adding multi-factor authentication to the mix improves the protection significantly as attackers won't be able to sign-in to the service as they will fail to pass the two-factor authentication screen. Passwords may also still play a role as attackers may try to sign-in to other services using them.

 

Microsoft's intention is not entirely altruistic. The company started to push what it calls passwordless authentication solutions some time ago. You can download a whitepaper from the linked website which offers additional reasoning why passwords are no longer enough to keep account secure as well as a list of solutions that Microsoft created.

 

 

 

Source: Microsoft: 2-factor authentication blocks 99.9% of account attacks effectively (gHacks - Martin Brinkmann)

[mp68terr]

Are there 2-factor authentication methods that do not require to give these companies our private phone number?

[steven36]

1 hour ago, mp68terr said:

Are there 2-factor authentication methods that do not require to give these companies our private phone number?

You need  2 forms  of id to  use it , a email and phone number on desktop . on smartphone  you can use a email and a phone number or Microsoft Authenticator app because google already has your phone number..

 

Even if you dont use 2-factor if you use a vpn  you will get locked out  and they will ask for a phone number. When i started using a VPN years ago i stop using Biig Tech's silly spyware services . To each there own the goverment have access  to what ever you store at Microsoft regardless  if you use 2-factor or not.

 

 

[BimBamSmash]

I prefer the old system where you could set one email ID to login to your account with, and another one to exchange messages with. I had it set up back in the days but I haven't logged into any web environment for long. I wonder if this system is still used - or if all email IDs attached to the same account can be used to login.

 

I haven't explored 2-FACTOR authentication but there is already two problems to it I can think of:

 

First, I imagine that much like the 2-STEPS method, during initial setup 2-FACTOR will generate backup/recovery codes, in case a user can't reach the app or service to get that secondary one-time password. I've seen these and some of these backup codes are just a few digits long: short and easy to write down quick by a bypasser to use later on.

 

There is also no guarantee that during a potential breach where passwords get leaked, these digits are not going leak all the same. You may change your passwords every once in while, but how about these recovery codes?

 

Second, I hear there are methods to hijack SMS sent out to phones. Not yet easy for all to use but I imagine it will be. This doesn't make 2-FACTOR effectiveness any more encouraging.