Multi-Factor Authentication Stops 99.9% of Automated Cyberattacks

A new report from Microsoft suggests 99.9% of all automated cyberattacks on Microsoft platforms and other online services are blocked by multi-factor authentication, highlighting the importance of this security measure for stopping data breaches.

Microsoft says that there are more than 300 million fraudulent sign-in attempts to Microsoft cloud services every day and that figure is steadily growing. There are also around 167 million daily malware attacks and 4,000 ransomware attacks. In many cases these attacks succeed without the use of advanced technology and techniques.

Many data breaches occur as a result of the use of weak passwords, the sharing of passwords on multiple platforms, a failure to patch known vulnerabilities, and the continued use of legacy systems.

According to a recent report from the Sans Institute, the most common vulnerabilities exploited by cybercriminals are business email compromise, the use of legacy protocols, and the reuse of passwords.

73% of passwords are duplicates and are used for work and personal accounts or are reused across multiple online platforms. If a data breach is experienced and credentials are stolen, they can then be used to gain access to multiple accounts. Microsoft says 81% of breaches are due to credential theft.

Legacy protocols are a major weakness because they are not designed to manage multi-factor authentication. These legacy protocols are targeted by hackers as they can be used to force the use of less secure protocols.

Improving Security is Straightforward

There are many simple steps that can be taken by businesses to improve security. Businesses should be providing security awareness training to the workforce to make sure employees are aware of the risks from phishing and know how to identify phishing emails. Password policies should be implemented and enforced to ensure that strong passwords are set, and legacy authentication should also be changed.

While all these steps are necessary, the single most important measure to implement is multi-factor authentication. Microsoft even goes as far as saying that with MFA implemented, passwords really don’t matter. If the password is guessed or otherwise obtained, it cannot be used to access an account with MFA enabled.

Many businesses are reluctant to implement multi-factor authentication in the mistaken belief that MFA requires the use of external hardware devices or that it will cause disruption to users, when that is not the case.

To make it easier, Microsoft suggests implementing MFA on a select group of employees initially, before rolling it out across the organization. Alternatively, businesses could choose to go password-less and use authentication methods such as WebAuth or CTAP2 – collectively known as FIDO2 – or biometrics in place of passwords.

“With the increase in sophisticated MFA phishing and bigger cracking rigs (including quantum), what we really need is a cryptographically strong credential bound to the client hardware that stores a benign artifact online, which makes the inevitable punchline better credentials (like FIDO2),” said Microsoft’s Group Program Manager for Identity Security and Protection Alex Weinert.

Further information on password-less authentication methods can be found in the Sans Institute white paper, Bye Bye Passwords: New Ways to Authenticate, which can be downloaded on this link.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of