While the tools are in place for customers to stop these attacks, adoption is significantly low. Unfortunately, we’ve been less successful than we’d like at raising awareness and getting folks to adopt the technologies. In 2014, we started making these technologies available to our Azure Active Directory (AD) organizational customers, and we’ve learned that they’re very effective – for example, our telemetry tells us that more than 99.9% of organization account compromise could be stopped by simply using MFA, and that disabling legacy authentication correlates to a 67% reduction in compromise risk (and completely stops password spray attacks, 100% of which come in via legacy authentication). This means that even as we’ve had a substantial increase in users, we have fewer compromised Microsoft accounts than ever before. Our ability to challenge users when we see risk led to a 6x decrease in compromise rate.Account retention increased by more than 10%.Unaided password recovery jumped from less than 20% to more than 90%.
#365 security defaults registration
The results have been very good while there was some angst involved in requiring multi-factor authentication (MFA) registration to play Xbox or on that Hotmail account that’s “worked fine for 16 years!”, the net impact was massively positive – e.g., measuring from 2014 to 2019:
This includes measures like registering a second factor, challenging accounts when we see risk on the login, and forcing folks to change their passwords when we found them in the hands of criminals. We started out by doing two things – putting metrics in place for everything (so we could be confident we’d know what works) and establishing a security minimum standard for our consumer accounts. In 2012, we started the Identity security and protection team for our consumer accounts (Microsoft accounts used for signing in to OneDrive, Skype, Xbox and such).
0 kommentar(er)
