My University Went All MFA Today!

If your company does not have MFA, please ask why?

Today, my university switched to MFA (Multifactor Authentication), and where we can use an out-of-band authentication on our mobile phone for the security integration of our email system. It is a major step forward in security, as many people in academia use their university email account as the core of their identity. So just like so many of my logins, I can now add my email login to the authenticator application. In fact, it all seems so old fashioned when my back sends me a code by SMS.

The answer to many security questions is often enable MFA (Multi-factor authentication). It seems obvious that it massively improves security, and last week Microsoft released data that 99.9% of accounts that were compromised did not use MFA. Within their research, they monitored over one billion users per month, and logged over 30 billion login alerts every day. The rate of compromise they found was around 0.5% (1 in 200), and around 1.2 million account compromises a month.

But, enterprises are not generally enabling MFA, and Microsoft found that only 11% enabled this for their accounts. The top two methods of compromise are password-spraying (around 40% of all compromises) and password-replay (around 40% of all compromises).