Microsoft says users who enable multi-factor authentication (MFA) on their accounts can block 99,9% of automated attacks.
The recommendation applies not only to Microsoft accounts, but also to any other profile, on any other website or online service.
If your service provider supports multi-factor authentication, Microsoft strongly recommends using it, whether it is simple, such as SMS-enabled passwords, or advanced biometric data solutions.
"Based on our research, your account is 99,9% less likely to be compromised if you use an MFA," said Alex Weinert, Program Manager for Microsoft Security and Identity Protection.
Passwords no longer matter
Weinert also said that the old advice of "never use a password found in a breach" or "use very large passwords" does not really help.
He must know something. Weinert was one of the Microsoft technicians who worked to stop the use of passwords that exist online from previous breaches. The company executive has been trying to stop using the specific passwords in the services: Microsoft Account and Azure AD since 2016.
The result; Microsoft users who used or were trying to use a leaked password should immediately change their credentials.
But Weinert noted that despite the ban, hackers continued to hack into Microsoft accounts in the years that followed.
He attributed this to the fact that passwords or their complexity no longer matter. Today, hackers have many different methods at their disposal to obtain users' credentials and in most cases the password does not matter.
With more than 300 million account hacking attempts occurring daily in Microsoft cloud services, Weinert says enabling multi-factor authentication solutions prevents 99,9% of these unauthorized login attempts, even if hackers know the password of the user.
0,1% corresponds to the much more sophisticated attacks that use technical means to obtain MFA tokens, but these attacks are still very rare compared to the daily life of botnets.
In May, Google had he says something similar, namely: that users who added a recovery phone number to their accounts (and indirectly activated 2fa via SMS) also improved their account security.
Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots attacks, 99% of mass phishing attacks and 66% of targeted attacks that occurred during of our research.
So since Microsoft and Google agree, it would be good to listen to them. From iGuRu.gr we have he says again in previous posts that changing passwords does not really help.
Picture MFA: NIST