Multi factor authentication blocks 99% of account hacks? That’s a big call and it was made by Microsoft who see over 300 million fraudulent sign-in attempts every day. Cyber security experts take note.
What is Multi factor Authentication (MFA)?
MFA is an additional step in your authentication procedure. Traditional authentication is a username and password. The problem with this authentication is that if someone gains access to your password they can log on as you very easily.
Getting people’s passwords is now a relatively simple task for attackers. Every day online databases are being hacked or “lost”, exposing the username and passwords of their user base. Why is that a big deal for your systems? Well, as it turns out, people re-use their passwords across multiple online systems. Check out the Disney+ hack that exploited this.
How MFA works
Yep, just like the picture says.
You use your username and password to start the logon process, you are then prompted by the app to provide a code from your phone, you use the code (that is active for only ~30 seconds) to finalise your login.
Sure it’s less convenient than just entering your username and password, but it’s a lot more secure. An attacker would need your username, password AND access to your mobile phone in order to log in to your systems.
Passwords really don’t matter anymore
Are we heading towards a passwordless future? It certainly doesn’t matter if you use a super-long and “secure” password if it’s included in a data breach. In fact, Google has implemented physical security keys to use in conjunction with your authentication – check out their Titan Security Key.
A physical security key is really secure. If you don’t have the key you simply will be unable to log into your system. There’s the obvious disadvantage of potentially LOSING your security key which adds all kinds of complexity around the security of your whole network.
Hackers have myriad ways to gain access to computer networks as outlined in this table:
|Attack||Also known as . . .||Frequency||Difficulty: Mechanism||User assists attacker by . . .||Does your password matter?|
|Credential Stuffing||Breach replay, list cleaning||Very high – 20+M accounts probed daily in MSFT ID systems||Very easy: Purchase creds gathered from breached sites with bad data at rest policies, test for matches on other systems. List cleaning tools are readily available.||Being human. Passwords are hard to think up. 62% of users admit reuse.||No – attacker has exact password.|
|Phishing||Man-in-the-middle, credential interception||Very high. 0.5% of all inbound mails.||Easy: Send emails that promise entertainment or threaten, and link user to doppelganger site for sign-in. Capture creds. Use Modlishka or similar tools to make this very easy.||Being human. People are curious or worried and ignore warning signs.||No – user gives the password to the attacker|
|Keystroke logging||Malware, sniffing||Low.||Medium: Malware records and transmits usernames and passwords entered, but usually everything else too, so attackers have to parse things.||Clicking links, running as administrator, not scanning for malware.||No – malware intercepts exactly what is typed.|
|Local discovery||Dumpster diving, physical recon, network scanning.||Low.||Difficult: Search user’s office or journal for written passwords. Scan network for open shares. Scan for creds in code or maintenance scripts.||Writing passwords down (driven by complexity or lack of SSO); using passwords for non-attended accounts||No – exact password discovered.|
|Extortion||Blackmail, Insider threat||Very low. Cool in movies though.||Difficult: Threaten to harm or embarrass human account holder if credentials aren’t provided.||Being human.||No – exact password disclosed|
|Password spray||Guessing, hammering, low-and-slow||Very high – accounts for at least 16% of attacks. Sometimes 100s of thousands broken per day. Millions probed daily.||Trivial: Use easily acquired user lists, attempt the same password over a very large number of usernames. Regulate speed and distributed across many IPs to avoid detection. Tools are readily and cheaply available. See below.||Being human.
Using common passwords such as qwerty123 or Summer2018!
|No, unless it is in the handful of top passwords attackers are trying.|
|Brute force||Database extraction, cracking||Very low.||Varies: Penetrate network to extract files. Can be easy if target organization is weakly defended (e.g. password only admin accounts), more difficult if appropriate defenses of database, including physical and operation security, are in place. Perform hash cracking on password. Difficulty varies with encryption used. See below.||None.||No, unless you are using an unusable password (and therefore, a password manager) or a really creative passphrase. See below.|
With over 300 million fraudulent sign-in attempts targeting Microsoft cloud services every day, Microsoft says that enabling a multi-factor authentication solutions blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password.
Google agrees. Their research “shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.”
When Microsoft and Google start agreeing on the same thing it might be a good time to start taking notice and following their advice!
Implementing multi factor authentication requires Cyber security expertise and this can come in the form of your internal IT team or an outsourced Managed IT Services provider.