Using Multi-Factor Authentication Blocks 99.9% of Account Hacks, Microsoft Says

Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks. From a report: The recommendation stands not only for Microsoft accounts but also for any other profile, on any other website or online service. If the service provider supports multi-factor authentication, Microsoft recommends using it, regardless if it's something as simple as SMS-based one-time passwords, or advanced biometrics solutions. "Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA," said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft. Weinert said that old advice like "never use a password that has ever been seen in a breach" or "use really long passwords" doesn't really help. He should know. Weinert was one of the Microsoft engineers who worked to ban passwords that became part of public breach lists from Microsoft's Account and Azure AD systems back in 2016. As a result of his work, Microsoft users who were using or tried to use a password that was leaked in a previous data breach were told to change their credentials.

Well Duh

[bobstreo]

But does Microsoft sell a TFA service ?

Authenticating to every web site is kinda painful. I prefer to use my banks authentication for just my bank.

And if they do provide MFA, how long until it either has a ribbon, or is discontinued with a few months warning? /s

Re:

[Jason Levine]

They do have a multi-factor authentication service. I know this because my work uses it. Any time I try to remote in from home, my work phone rings and I need to confirm that I'm trying to log in. Only after I've confirmed on the phone does my login attempt succeed.

Re:

[garyisabusyguy]

LOL Implementing MFA will bust the budget for more than a few IT departments.

Re:

[EvilSS]

Not really. You can do it on the cheap if you have some technical ability.

Re:

[The Raven]

I work for a cheap-ass University. We have under 8000 users (staff and students), yet we implemented 2FA for about $10k/yr plus about three months of infrastructure / dev salary. (so another 15 to 20k in time-cost). We probably could have outsourced the implementation for a similar cost, but we wanted to do it internally so we understood all the ramifications of our choices on the interlocking systems.

All remote employees must use MFA to VPN in now, and MFA is an option anyone can enable on their account (a

Re:

[nospam007]

"Authenticating to every web site is kinda painful. I prefer to use my banks authentication for just my bank."

Exactly! Every other site gets a fake name and fake email address.

Re: Well Duh

[sectokia]

In an ideal world you world use TFA to authenticate your account with Google/Firefox/Edge, which would then deliver you a signed *client* SSL cert, which you would present to any server. unfortunately ists if using client certs, everyone is persueing their own apis. even then there is hope one day people will adopt oauth....

Re:

[Bradac_55]

It's called a yubikey gramp's ;)

Re:

[AmiMoJo]

You can use any U2F device with Microsoft services. Even works with XBOX Live. Pick the device that suits you.

Adaptation

[Tablizer]

An uncommon technique may work well simply because it's uncommon; criminals go find lower-hanging fruit. If it becomes common, then criminals find more ways around it.

Re:

[Dallas May]

I don't think you can call 2 factor MFA uncommon today. It's quite broadly utilized.

It should be rolled out to literally every website.

Re:

[Cid Highwind]

Oh goody. I can't wait for slashdot and reddit to need to know my phone number!

Re: Adaptation

[sectokia]

They didn't need your phone number. An authentication app assigns a key to your account that resides in the app on your phone. So you use the app to generate a login a 6 digit code to login. It's impossible for the attacker to have the key to generate the code unless they steal your phone and you phone has crap security.

Re:

[godel_56]

It's impossible for the attacker to have the key to generate the code unless they steal your phone and you[r] phone has crap security.

If it's an Android phone then you have crap security.

They can use TOTP, but they don't.

[tepples]

They didn't need your phone number. An authentication app assigns a key to your account that resides in the app on your phone. So you use the app to generate a login a 6 digit code to login.

In theory, that's how it'd work. In practice, websites like Twitter treat SMS as primary and TOTP as a backup in case SMS fails. Every time you try to log in after having set up 2FA, Twitter sends a text message even if you didn't ask for one, and your (U.S.) carrier may bill you 10 cents for an SMS overage. You can't set up TOTP 2FA on Twitter unless you've already set up SMS 2FA, and disabling SMS 2FA disables TOTP 2FA as a side effect.

Re:

[RespekMyAthorati]

Solution: Don't fucking use twitter!

Without a mobile?

[Roger W Moore]

The problem with this is that not everybody has a mobile phone and currently the only workaround is to use email. However, if everyone uses 2FA then there is no way to access your email without first being able to access your email. The result will be that while you maybe only 99.9% secure from hackers you will be 100% secure from your legitimate user.

Re:

[garyisabusyguy]

Funny, have you ever heard of RSA SecureID?

This is the grand-daddy of MFA and requires a key-fob not a connected device like a phone

It has never been cheap, so we have seen a bunch of phone-based alternatives

Re: Without a mobile?

[Ronin Developer]

Or, Google Authenticator or Microsoft Authenticator?

Both take a TOTP key (usually, via a QR code). Then it cycles every 30 seconds to a new value.

The biggest threat, I see, is if the secret key is compromised on the server. It has to be disclosed to the process checking your totp code. Hopefully, these codes are well protected.

Re:

[markus]

FIDO U2F uses a public/private key system. So, a compromised server doesn't compromise the security of any other service.

Of course, it compromises the server that was, eh, compromised. But that's a tautology.

Re:

[EvilSS]

But don't those require a mobile phone? From the GP: "The problem with this is that not everybody has a mobile phone"

Re:

[tepples]

TOTP authenticators can run on a Wi-Fi-only tablet or on a phone with no service, provided that a particular website allows setting up TOTP without first setting up SMS.

Re:

[Roger W Moore]

Yes I have. However, as you point out the cost is not cheap so I doubt the vast majority of websites are going to be able to afford to do this for what are often free accounts.

Re:

[Bradac_55]

Define "cheap" what's the lowest amount of money you will pay for 99% security?

My $70 personal Yubikey (that signs into lastpass desktop & mobile) was worth the money and my lastpass score is top 1% so I feel a bit better as long as I don't do anything stupid to compromise it.

My job has a mobile app and key fob system for Eng. which they consider cheap versus a breach.

Re:

[ctilsie242]

My NAS and router don't need a mobile phone number, and they use Google's TOTP protocol.

A phone is nice for recovery, but you can have a shared secret type of system without any need for any communication between the machines, other than the initial communication of the secret key. This isn't really new tech either... BSD has had this since 386BSD with S/Key, and that never required any cell phones for recovery... since there were not any.

Just make sure to secure and back up those 2FA seeds, preferably to

Re:

[markus]

The TOTP protocol is super simple. You can implement it as a browser extension or even just as a Javascript Bookmarklet. That's not necessarily super secure, as it now stores your secret on the same computer that you want to protect from being compromised. But it's still much more secure than single-factor passwords.

Re:

[ctilsie242]

Exactly, that is its weakness. However, just by keeping the shared secret on a different device mitigates almost all remote attacks, because the attacker would have to actively obtain the phone to access the data.

Nothing is perfect, but the TOTP protocol is simple, and time tested. Wish it were built into operating systems, similar to how S/KEY was a part of modern BSDs since its inception.

Re:

[Dallas May]

There are lots of alternatives. My favorite is USB keys. They are much better than SMS messages, mostly because I travel internationally and often can't get SMS messages. But nearly every computer in the world has the most recent version of Chrome and a USB port.

Re:

[markus]

A FIDO U2F token costs as little as $5, and you only need a single token for all of your accounts. In fact, for most threat profiles, you can safely share it between all family members or co-workers.

Re:

[ctilsie242]

Fido U2F tokens are great. Only two downsides is that some tokens don't work with all U2F providers (I have found some tokens that MS won't work with), and recovery in case of loss. I personally use MFA keys as a recovery mechanism, but I take some time to export the shared secrets and keep them in a safe place so I can reload them if I lose my phone, key, and other stuff.

Re:

[Tablizer]

I don't think you can call 2 factor MFA uncommon today. It's quite broadly utilized.

It's common when dealing with big transactions, but if every dinky social network and pet trinket store did it, then crooks would have a big cache of additional personal info to use.

Re:

[ShanghaiBill]

An uncommon technique may work well simply because it's uncommon

SMS validation is nearly universal for financial sites.

I have accounts at 3 banks and two brokerages. I also manage all of my mom's online finances. ALL of them use SMS validation when I log in from a new computer/browser combination. One of them (Vanguard) also uses voice-id, but that is in addition to first-time SMS.

A big security hole is if you don't have an online account at all. When I set up my mom's accounts, I was able to enter my email and cell, answer a few security questions about her credit

Re:

[markus]

SMS authentication is regularly hacked in targeted attacks. I have friends who had their accounts compromised. So, I am not a big fan of banks using the lowest common denominator solution.

TOTP tokens are more secure, and some banks have started using that. But financial institutions always seem to be the last to implement adequate security protocols. If they were on top of things, they'd be working on rolling out FIDO U2F.

Re:

[AmiMoJo]

I do most of by banking on my phone via apps now, which use fingerprints for auth. When transferring money they also want a six digit PIN.

I barely use their web sites because logging in is a pain in the arse. Enter a username and password, enter random characters from your secret word, wait for a text message... Sod that. If they offered U2F I'd be happy with that.

If MS is suddenly keen on security ...

[Alain Williams]

why do they act stupid elsewhere ? My son tells me that he used to have separate passwords to: login to his PC, login to Skype, login to hotmail. Some time ago they were all linked and made the same, if he changes one they all change. He is furious as he wants different passwords on each of them.

Re:

[tomhath]

Some time ago they were all linked and made the same

That's so when you log into one, MS can slurp up your data from everywhere. Blocking outsiders from accessing your accounts doesn't apply to them. [/scarcasm]

Re:

[jawtheshark]

... and sometimes they simply cannot be merged. I have two "original" Skype accounts, from the time Microsoft didn't own Skype. One is firstname.lastname, the other one is my typical handle. They had different uses.

One day, they were converted to Microsoft accounts. Who, knows, perhaps even with associated outlook.com address and whatnot. I don't know, I only ever used them for Skype.

Now, I don't use Skype all that often any more. I rarely log in and I don't really care much about it. Thing is, I

Re:If MS is suddenly keen on security ...

[bill_mcgonigle]

They're all Microsoft services now. Does he get 'furious' about having only one Google password too?

Why not set the password to r8DhATrWUc4uj#f , set up 2FA, and be happy?

Actual question, not rhetorical.

Re:

[Alain Williams]

Why not set the password to r8DhATrWUc4uj#f , set up 2FA, and be happy?

He says that he sometimes wants to let someone else use his laptop but does not want them to access his email. You might argue that he ought to set up another/guest account on his laptop - but that is another issue.

Re:If MS is suddenly keen on security ...

[markus]

That's the perfect scenario for using user profiles in Chrome. Or even better, using a Chromebook and switching to Guest Mode.

Heck, even my Android phone has Guest Mode these days.

Re:

[EvilSS]

So have him create a guest account on the laptop? He can also set a PIN to use to login to the laptop that only works on the laptop as well, not the rests of his MS services.

Re:

[swillden]

They're all Microsoft services now. Does he get 'furious' about having only one Google password too?

Why not set the password to r8DhATrWUc4uj#f , set up 2FA, and be happy?

Actual question, not rhetorical.

I agree with this... with one exception. Is the Windows login password really linked in as well? If so, that means that his Windows PC serves as an oracle for password guessing. Passwords that can be tested offline should be segregated from those that can only be tested online, since servers can easily implement brute force mitigation which devices can't (barring use of hardened security chips, and even then the security characteristics are different).

Re:

[guruevi]

Any OS with encryption and TPM you should be able to shut down your local account after n invalid logins. Since you need the TPM chip to authenticate, it can lock itself out. I think Bitlocker already has a model like that, I know Apple does as well on their hardware and requires you to 'be online' to unlock the account.

Re:

[swillden]

Any OS with encryption and TPM you should be able to shut down your local account after n invalid logins. Since you need the TPM chip to authenticate, it can lock itself out.

Yes, that's the "barring use of hardened security chips" option I mentioned. I'm not sure how many Windows PCs actually have a TPM, though, or whether it's properly integrated into the authentication process. Doing this correctly is much harder than it looks.

Re:

[AmiMoJo]

TPM is near universal now. Both AMD and Intel include TPM modules in their CPUs or chipsets. I believe it was around 2013 when they started on select parts, now it's all of them.

Most Windows 10 systems that come pre-installed use the TPM for Secure Boot at least. Many business oriented systems, especially laptops, have BitLocker encryption with a self-encrypting SSD enabled by default too. It's all hidden from the user unless they want to adjust the settings, otherwise it just works transparently and you wo

Re:

[EvilSS]

Unfortunately most companies don't bother spending the $3 to put a TPM chip in consumer PCs. You really have to shop around for laptops with them, and forget it on most pre-built desktops. Custom desktops it depends on the MB maker, model, and then you need to figure out exactly what TPM module they need, and hope you can find it for a decent price.

Re:

[tlhIngan]

I agree with this... with one exception. Is the Windows login password really linked in as well? If so, that means that his Windows PC serves as an oracle for password guessing. Passwords that can be tested offline should be segregated from those that can only be tested online, since servers can easily implement brute force mitigation which devices can't (barring use of hardened security chips, and even then the security characteristics are different).

In Windows 10, you can choose to link your Microsoft and

Re:

[MobyDisk]

Linking your Windows account to an email address was the crucial mistake. Unless on a corporate domain, the login to a home PC or laptop should have nothing to do with the internet, email addresses, etc.

Why doesn't literally every website require 2FA

[Dallas May]

Every single website that requires a sign on to use, every singe one, should require 2FA.

Every single one.

Re:

[Tablizer]

Then every hacker will know my dog's maiden name and the first date who dumped me. That's too much personal info to give out.

Re:

[Anonymous Coward]

Were they both called Rover?

Re:

[Tablizer]

Dude, that's ruff.

Re:

[niver]

Then every hacker will know my dog's maiden name and the first date who dumped me.

Using your dog's name is not 2FA. Real 2FA would be "something you know" and "something you have". Say, a password and a phone confirmation. Or a RF chip and a password. Or an OTP device, which arguably counts as 2FA by itself.

Re:

[markus]

Google has been putting FIDO U2F tokens into their Chromebooks for a while now. It's not a widely advertised feature, as they are still working out some of the usability and security features. But its IMHO the easiest and most secure solution and something that hopefully will be widely adopted in the future.

Too late

[Roger W Moore]

Then every hacker will know my dog's maiden name and the first date who dumped me. That's too much personal info to give out.

Your dog has a maiden name? You are already way past the threshold of handing out too much personal information.

Re:

[flyingfsck]

His dog's maiden name is FIDO of course - Easy to guess.

Re:

[Roger W Moore]

It's not what the name is but the implication of it being a maiden name that is TMI.

Re:

[timeOday]

Ugh no. My ./ profile is NOT worth it to me.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Roger W Moore]

Every single website that requires a sign on to use, every singe one, should require 2FA.

How will that work if you do not own a mobile phone? ...and what happens if you own one and lose it?

Re:

[Dallas May]

There are lots of options for 2FA. USB keys are my personal favorite. The "what if you lose it" problem become the same problem for every key. If you lose one, you just change the locks and approve another.

Re:

[MobyDisk]

When you say "USB keys" what do you mean?

Re:

[Dutch Gun]

I'd presume GP means something like a Yubikey [wikipedia.org]. You plug it into your computer, and it acts like a virtual keyboard. When logging it, you enter credentials as normal, and then you press a button on the device to send the one-time token.

You mentioned two-factor is a pain. I've used software-based 2FA on my smartphone, or a token that generated numbers you had to type in, and you're correct that it's absolutely a pain. I've also used Yubikeys, and I vastly prefer them. A website or service will just pop u

Re:

[ISayWeOnlyToBePolite]

#1. Use a dongle #2. Use a spare dongle.
Yubikey is the most popular and can do usb and nfc. Google sells dongles in the US (+ a few other) if you want behemoth support and also bluetooth. https://solokeys.com/ [solokeys.com] is an opensource solution with usb and nfc. There are other manufacturers as well. FIDO2 is the name of the current standard.

Re:

[markus]

Cheap tokens are around $5 last I checked. I wouldn't necessarily pick that as my primary token, as I'd be worried it could physically get damaged. But it's entirely appropriate for a backup token.

Re:

[AmiMoJo]

I wish they would get NFC working on computers as well as phones. There is Bluetooth but it does mean changing the battery now and then, and I can't see any that support TOTP as well as U2F over the air.

Re:

[tepples]

How will that work if you do not own a mobile phone?

Then apparently websites don't want your eyeballs because if you can afford the products that the site's advertisers are advertising, then you can afford a mobile phone.

Re:

[MobyDisk]

Why? 2FA is a pain, and often it is pseudo-security. The site has to know your email address or phone number. So you must have access to those things to login.

Many sites that offer 2FA do it not for security, but so that they can get personal information to better serve their advertising overlords. People should not be using 2FA except where security is super important, and only with companies that are not driven by advertising. I use 2FA with my bank and mutual funds only. Oh, and one other site that

And what happens when

[servo335]

criminals find a sway to bypass it or intercept it?

Re:

[Dallas May]

That's the point of 2FA. You can't just bypass or intercept it. You have to physically steal the thing. That's what makes it safer.

It's highly likely that a hacker from Ukraine find your username and password posted on some dark web forum, but next to impossible for them to steal your USB key. A thug might jump you and steal your USB key, but likely wouldn't know how to find your password on the dark web forum.

Re:

[rgmoore]

It may not be easy to bypass or intercept a 2FA, but it is possible. 2FA that depends on a text message can be intercepted by cloning the phone number, for instance. And 2FA doesn't protect against a MITM attack. What 2FA is really good for is two things:

1) It raises the bar for a breach. Cloning somebody's phone is a lot harder than just copying their username and password.

2) It makes a persistent breach harder. Even if they can mount a successful MITM attack, that only works the one time. They c

Re:

[Cro Magnon]

What happens when your dog eats your USB key? Maybe a crook can't get in, but neither can you.

Re:

[Dallas May]

What happens when your dog eats your house key?

Re:

[ISayWeOnlyToBePolite]

criminals find a sway to bypass it or intercept it?

Then it's bypassed or intercepted. The trick is to make this really hard to do.

Also...

[JoeyDot]

Also blocks 99.9% of legitimate log in attempts.

Implementation-dependent

[twocows]

Depends what the second factor is. If it's a text message on a phone, I'd say it's as weak or even weaker, as it opens up another avenue of attack.

Either way, blocking "99.9% of automated attacks" isn't hard. Those attacks go for the low-hanging fruit; they attack millions of targets at a time using exposed shared credentials and dictionary attacks and just take what falls through the cracks. Don't use the same password on every site, don't use words or phrases that are easily hit by dictionary attacks, and don't use anything that's easily brute forceable by current technology (8 characters or less).

I use a custom password system that incorporates some static shared data and some data that varies from login to login. The system itself isn't hard to decipher and if someone wanted to hack me in particular they could probably figure it out, but it's easily resistant to the "99.9% of automated attacks" that at most apply some basic transformations to known passwords (like trying "p4$$w0rd" or maybe "psasword" instead of "password").

Re:

[swillden]

Depends what the second factor is. If it's a text message on a phone, I'd say it's as weak or even weaker, as it opens up another avenue of attack.

Unless the text message can be used to reset the password, it doesn't open up another avenue of attack. Stealing/guessing your password and subverting your SMS provider is clearly harder than stealing/guessing your password alone.

I don't particularly recommend SMS-base 2FA, but if you can't use something better like a TOTP app or, better yet, a security key, it's definitely a significant security improvement.

Either way, blocking "99.9% of automated attacks" isn't hard... I use a custom password system that incorporates some static shared data and some data that varies from login to login.

Your advice here basically boils down to "use strong-ish, unique-ish passwords". It's worth poin

Hidden Agenda

[Retired ICS]

So the real question is what is Microsoft's hidden agenda from which they are expecting to generate revenue?

It is extremely simple to thwart 99.9% of credential attacks (where a credential is presented as an identifier and an authenticator).

Are they getting ready to flog the "Microsoft Captcha" or something?

Microsoft, like Google, is motivated entirely by profit and nothing else.

Secondly they demonstrate how utterly stupid they are because they seem to believe that biometrics are authenticators. They are n