99.9% Of Compromised Microsoft Accounts Lack Multi-Factor Authentication—Is Your Data At Risk?

Nearly every breached Microsoft account doesn’t have an MFA solution enabled. What about your account? Do you know if it’s secure?

At a recent RSA security conference, Microsoft engineers told attendees that 99.9% of the accounts that are compromised each month don’t have a multi-factor authentication solution enabled.

MFA (MFA) is a great way to add an extra layer of protection to the existing system and account logins. By requiring a second piece of information like a randomly-generated numerical code sent by text message, you’re able to make sure that the person using the login credentials is actually who they say they are. Biometrics like fingerprints, voice, or even iris scans are also options, as are physical objects like keycards.

Despite how basic and easy to use MFA is, nearly every login event Microsoft tracks uses only basic authentication processes—a username and password. In January 2020, that resulted in 1.2 million breached accounts.

How Do Cybercriminals Compromise Unprotected Accounts?

Without an MFA solution in place, user accounts are vulnerable to basic cybercrime attack vectors, including:

  • Password Spraying: Microsoft engineers noted that a majority of the attacks use a method called password spraying, in which the cybercriminal picks a likely password, and uses it on a long list of usernames.
  • Password Replays: The second most prevalent attack type was password replaying, in which cybercriminals use a password from one company’s account and try it on another. This takes advantage of the 60% of users that reuse their passwords.

These techniques are particularly effective against legacy authentication protocols, including SMTP, IMAP, and POP. In fact, 99% of password spraying attacks and 97% of password replay attacks target these out-of-date protocols, because they don’t integrate with MFA solutions.

How Does A Multi-Factor Authentication Solution Work?

  1. User logs into the session with primary credentials.
  2. The session host validates credentials with Active Directory.
  3. Then, it sends credential validation to the cloud via the login app.
  4. The MFA client sends its secondary authentication to the user. User approves.
  5. The MFA client sends approval back to the session host via the login app.
  6. The user accesses their session very securely.

Though MFA does make it harder for the account owner to access the account, it also makes it difficult for cyber thieves to learn your password.  Their job becomes much tougher because they now need to do more than just hack your password.  They’ll need personal information about the account owner.

With so many accounts being too easy to break into, hackers are more likely to just move on instead of trying to break through the multiple-factor authentication process.

How To Protect Your Microsoft 365 Account With MFA

You need to disable legacy authentication protocols and update to one that supports MFA. Microsoft notes that doing so has resulted in a 67% reduction in breaches.

Start by having your IT director or systems administrator enable MFA. After that, you will be prompted to configure it to your preferences after your first login:

  1. Sign into your Microsoft 365 account.
  2. After you are signed in, you’ll be prompted to provide additional information.
  3. Click “Next”  in the subsequent dialogue box.
  4. Microsoft’s default method is the free Microsoft Authenticator app, which you will be prompted to download if you do not already have it. Alternatively, you can use SMS messages for MFA, in which case you will need to provide your mobile number.
  5. Once you have chosen Authenticator or SMS-based MFA, your work is complete. The next time you sign in to Microsoft 365, you’ll be prompted to input additional verification details.

Parkway Tech Will Help Protect Your Data

If you’re unsure about how to implement an MFA solution, don’t try to handle it all on your own. The Parkway Tech team will help you evaluate your password practices and security measures as a whole to make sure you’re not taking on any unnecessary risks.

We will guide you in implementing MFA for your entire staff, ensuring your data is properly protected.

Written by Chris Michalec posted on November 14, 2021

If you are thinking of switching IT companies but aren’t sure where to start, contact us now.