Multifactor Authentication improves security by blocking 99.9% of automated attacks

Security breaches are on the rise as we all start working remotely. Microsoft cloud services are seeing 300 million fraudulent sign-in attempts every day. Much of the time it is human error that can lead to successful hacks and cybercrime, but with multifactor authentication (MFA) we enable a two-step verification which is a crucial security measure that requires an extra step when signing in.

We are one data breach away from having our entire online life turned upside down. The problem is passwords, which are hopelessly too fragile to secure valuable resources, though passwords or their complexity don’t really matter anymore. Nowadays, hackers have different methods at their disposal to get their hands on users’ credentials, and in most cases, the password doesn’t matter.

Even with reasonable policies in place (complexity, changed regularly, not reused), people are still the weakest link in the security chain. Social engineering can convince even intelligent people to enter their credentials on a phishing site or give them up over the phone. Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks.

If a service provider supports multi-factor authentication, Microsoft recommends using it, even if it’s as simple as SMS-based one-time passwords. Exponant deploys multifactor authentication, or MFA, as an integral part of our security solution.

Turning on MFA forces the user to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device can be inconvenient and seem a waste of time to the user. But, after they successfully meet that challenge, they usually have the option to categorise the device as trusted, which means that MFA requests should be relatively rare on the devices you use regularly.

Those two forms of authentication can come from any combination of at least two of the following elements:

  • “Something you know,” such as a password or PIN;
  • “Something you are,” such as a fingerprint or other biometric ID; or
  • “Something you have,” such as a trusted smartphone that can generate or receive confirmation codes, or a hardware-based security device

If someone tries to sign in to an account protected by MFA, they’ll need the second proof, such as the code from an authenticator app. If this sign-in request is from someone who has stolen an account credentials, they’d be stopped dead in their tracks. Without that code, they can’t continue the sign-in process.

The simplest MFA option is a code, sent via SMS message to a registered phone.

Multi-factor authentication will stop most casual attacks dead in their tracks. It’s not perfect, though. A determined attacker who is directly targeting a specific account might be able to find ways to work around it, especially if he can hijack the email account used for recovery or redirect phone calls and SMS messages to a device he controls. But if someone is that determined to break into your account, you have a bigger problem.

Editorial Contact: Kate Elphick