Image for post
Image for post
Photo by Matthew Brodeur on Unsplash

Keeping Security Simple: Enable MFA and Disable Old Protocols

We live in a 1980s viewpoint of the Internet, and are struggling to rebuild it. So, here we go. Security can be simple … enable MFA, and 99% of all your account hacks will go away. Also, get rid of your legacy email protocols!

The answer to many security questions is often enable MFA (Multi-factor authentication). It seems obvious that it massively improves security, and last week Microsoft released data that 99.9% of accounts that were compromised did not use MFA. Within their research, they monitored over one billion users per month, and logged over 30 billion login alerts every day. The rate of compromise they found was around 0.5% (1 in 200), and around 1.2 million account compromises a month.

But, enterprises are not generally enabling MFA, and Microsoft found that only 11% enabled this for their accounts. The top two methods of compromise are password-spraying (around 40% of all compromises) and password-replay (around 40% of all compromises).

With password-spraying, an attacker tries a range of user names with commonly used passwords, and aim to get a hit eventually. Often they will not use brute-force or attack a single account, as that would result in a lock-out. But the random spraying will likely lead to one account being comprised within an organisation, and which can use this a a pivot point against the rest of the network.

With password replays, an attacker uses a previously known password, and then uses that against their accounts. For example, if a user was found to have a password of “MyLovelyCat” within a data breach, an attacker could then replay that back on other site. This has a high success rate, define Microsoft, as 60% of users reuse their passwords. Microsoft, too, highly that it is the flawed email protocols of the past — such as SMTP, POP-3 and IMAP — which support the greatest amount of attacks, with almost all the password replay and password spraying attacks conducted on the old protocols. These protocols lack any form of MFA. In their research, Microsoft found that there was a significant improvement in security when organisations disabled email legacy protocol (67% reduction, on average).

And the conclusion … as the industry has been saying for many years …




Using hardware keys, a mobile authenticator or even just an SMS message authentication will block virtually every account hack.

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store