Microsoft says that user accounts are “more than 99.9% less likely to be compromised” if the user has enabled multi-factor authentication (MFA). This even applies for relatively weak MFA solutions like SMS-based one-time passwords, the company claims. Microsoft registers more than 300 million fraudulent sign-in attempts on its cloud services every day. Of the accounts for which MFA is enabled, less than 0.1% gets breached via sophisticated techniques that enable attackers to capture MFA tokens.
Earlier this year, Google research also found that enabling MFA blocks the vast majority of account attacks. The study showed that adding a recovery phone number sufficed to block all (100%) automated bot attacks, nearly all (99%) untargeted phishing campaigns, and two-thirds (66%) of targeted attacks.
Read more: Microsoft: Using multi-factor authentication blocks 99.9% of account hacks
