The goal is just to find the shortest path to setting up email and document sharing, or building that first Azure application – they won’t configure security settings until they’ve been hacked. But for most people, especially individual developers, small businesses, or folks just experimenting with our Azure, Office, or Dynamics services, security isn’t the first thing on their minds. You’re aware of the importance of securing identities and taking advantage of key capabilities in the platform. If you’re reading this blog, you’re probably a security or identity enthusiast. Despite marketing, tweeting, and shouting from the rooftops, the most optimistic measurement of MFA usage shows that only about 9% of organizational users ever see an MFA claim. While the tools are in place for customers to stop these attacks, adoption is significantly low. Unfortunately, we’ve been less successful than we’d like at raising awareness and getting folks to adopt the technologies. In 2014, we started making these technologies available to our Azure Active Directory (AD) organizational customers, and we’ve learned that they’re very effective – for example, our telemetry tells us that more than 99.9% of organization account compromise could be stopped by simply using MFA, and that disabling legacy authentication correlates to a 67% reduction in compromise risk (and completely stops password spray attacks, 100% of which come in via legacy authentication). This means that even as we’ve had a substantial increase in users, we have fewer compromised Microsoft accounts than ever before. Our ability to challenge users when we see risk led to a 6x decrease in compromise rate.Account retention increased by more than 10%.Unaided password recovery jumped from less than 20% to more than 90%.
The results have been very good while there was some angst involved in requiring multi-factor authentication (MFA) registration to play Xbox or on that Hotmail account that’s “worked fine for 16 years!”, the net impact was massively positive – e.g., measuring from 2014 to 2019: This includes measures like registering a second factor, challenging accounts when we see risk on the login, and forcing folks to change their passwords when we found them in the hands of criminals. We started out by doing two things – putting metrics in place for everything (so we could be confident we’d know what works) and establishing a security minimum standard for our consumer accounts. In 2012, we started the Identity security and protection team for our consumer accounts (Microsoft accounts used for signing in to OneDrive, Skype, Xbox and such).
0 kommentar(er)
