Your password doesn’t matter—but MFA does!
This article was originally posted to the Microsoft Security blog.
Your pa$$word doesn’t matter—Multi-Factor Authentication (MFA) is the best step you can take to protect your accounts. Using anything beyond passwords significantly increases the costs for attackers, which is why the rate of compromise of accounts using any MFA is less than 0.1 percent of the general population.
All authenticators are vulnerable
There is a broad range of mechanisms to break authenticators. That doesn’t make all authenticators equally vulnerable. Costs vary massively by attack type, and attacks that preserve anonymity and don’t require proximity to the target are much easier to achieve. Channel-Jacking and Real-Time Phishing are the most dominant ways we see non-password authenticators compromised.
Channel independent, verifier impersonation-resistant authenticator types—such as smartcards, Windows Hello, and FIDO—are incredibly hard to crack. Given an overall strong authentication rate of only about 10 percent, doing any form of MFA takes you out of reach of most attacks. Turn on MFA now and start building a long-term authenticator strategy that relies on “phish proof” authenticators, such as Windows Hello and FIDO.
To learn more, read All your creds are belong to us!