My University Went All MFA Today!
My University Went All MFA Today!
If your company does not have MFA, please ask why?
Today, my university switched to MFA (Multifactor Authentication), and where we can use an out-of-band authentication on our mobile phone for the security integration of our email system. It is a major step forward in security, as many people in academia use their university email account as the core of their identity. So just like so many of my logins, I can now add my email login to the authenticator application. In fact, it all seems so old fashioned when my back sends me a code by SMS.
The answer to many security questions is often enable MFA (Multi-factor authentication). It seems obvious that it massively improves security, and last week Microsoft released data that 99.9% of accounts that were compromised did not use MFA. Within their research, they monitored over one billion users per month, and logged over 30 billion login alerts every day. The rate of compromise they found was around 0.5% (1 in 200), and around 1.2 million account compromises a month.
But, enterprises are not generally enabling MFA, and Microsoft found that only 11% enabled this for their accounts. The top two methods of compromise are password-spraying (around 40% of all compromises) and password-replay (around 40% of all compromises).
With password-spraying, an attacker tries a range of user names with commonly used passwords, and aim to get a hit eventually. Often they will not use brute-force or attack a single account, as that would result in a lock-out. But the random spraying will likely lead to one account being comprised within an organisation, and which can use this a a pivot point against the rest of the network.
With password replays, an attacker uses a previously known password, and then uses that against their accounts. For example, if a user was found to have a password of “MyLovelyCat” within a data breach, an attacker could then replay that back on other site. This has a high success rate, define Microsoft, as 60% of users reuse their passwords. Microsoft, too, highly that it is the flawed email protocols of the past — such as SMTP, POP-3 and IMAP — which support the greatest amount of attacks, with almost all the password replay and password spraying attacks conducted on the old protocols. These protocols lack any form of MFA. In their research, Microsoft found that there was a significant improvement in security when organisations disabled email legacy protocol (67% reduction, on average).
And the conclusion … as the industry has been saying for many years …
ENABLE MFA!!!!! ENABLE MFA!!!!! ENABLE MFA!!!!! ENABLE MFA!!!!!
ENABLE MFA!!!!! ENABLE MFA!!!!! ENABLE MFA!!!!! ENABLE MFA!!!!!
ENABLE MFA!!!!! ENABLE MFA!!!!! ENABLE MFA!!!!! ENABLE MFA!!!!!
Using hardware keys, a mobile authenticator or even just an SMS message authentication will block virtually every account hack.