When internet giants Microsoft and Google make bold statistics about stopping greater than 99% of automated attacks by using multifactor authentication (MFA), it is probably a good idea to heed their advice. According to Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, based on their studies, accounts are more than 99.9% less likely to be compromised when using MFA. Alex also contends that passwords do not matter anymore, as even the longest, strongest, most complex passwords are stolen through human assisted methods such as phishing emails and keyloggers. Using MFA decreases the risk an adversary could log in with stolen credentials, making MFA an imperative control to protect user accounts. Common MFA methods include biometrics, smart cards, FIDO/CTAP (client to authenticator protocol) enabled hardware devices, or one-time passcodes (OTPs) sent to or generated by previously registered devices. So, what about the 0.1%? The remaining 0.1% account for more sophisticated attacks that use technical solutions for capturing MFA tokens, like Modlishka (covered in the Security & Resilience Update – 10 January 2019, in the post Phishing Attacks that Bypass 2FA Just Got Easier), but these sophisticated attacks are still very rare compared to the constant barrage of credential stuffing botnets and, well, just being human. Read the entire post at ZDNet