While two-factor authentication usage in the consumer space is climbing quickly, enterprises are still straggling when it comes to using multi-factor authentication (MFA) to protect crucial accounts, despite the fact that compromised credentials are the starting point of most cyber-attacks.
Consumer and enterprise MFA adoption
According to the latest Duo Labs’s State of the Auth report findings, 78% of polled users have used it in 2021, compared to 53% in 2019 and 28% in 2017.
The recent growth in popularity of phishing kits that bypass MFA protection show that attackers have taken note of it and are adapting.
Microsoft’s inaugural Cyber Signals report shows, on the other hand, that only 22 percent of customers using Microsoft Azure Active Directory (Azure AD) have implemented MFA protection.
There’s a dangerous mismatch between the magnitude of identity-focused attacks and organizations’ preparedness for them, the company says: just between January and December 2021, Microsoft Azure AD detected and blocked more than 25.6 billion attempts to hijack enterprise customer accounts by brute-forcing stolen passwords.
Attackers love compromised credentials and no MFA
“Spear-phishing, social engineering attacks, and large-scale password sprays are basic nation-state actor tactics used to steal or guess passwords,” Microsoft says, and notes that these groups will keep using the same simple tactics if user credentials are poorly managed or MFA and passwordless authentication isn’t employed.
Most attacks involving human-operated ransomware also count on compromised credentials.
“Finding weaknesses in identity is a common attack tactic shared by many threat actors, cybercriminals, and nation-state actors,” says Christopher Glyer, Principal Threat Intelligence Lead at the Microsoft Threat Intelligence Center (MSTIC).
Microsoft has been recommending MFA use to its customers and the general public for years, pointing out that even though there are ways to bypass MFA protections, any form of MFA – if implemented correctly – takes users out of reach of most attacks.
Despite all that, change comes very slowly: recent research by Ensono has revealed, for example, that 38% of organizations are not using the MFA option available in Microsoft 365, and only 43% have Conditional Access controls in place.