2FA Thwarts 99.9% of Hacking Attacks According to Microsoft

A new study published by Microsoft today finds that multi-factor authentication prevented 99.9% of hacking attacks. Here are some other things that are 99.9% effective: contraception, hand sanitizer and the ending of ‘Armageddon' making me cry. (When Bruce Willis tells Ben Affleck he has to go marry Liv Tyler…MY HEART)

That's right, several months after Google made the same claim, Microsoft has endorsed 2FA telling users they should use it for their Microsoft account as well as any other web accounts whether they use a simple SMS based one time passcode or advanced biometrics.

Microsoft personally sees 300 million automated attacks per day, the vast majority which can be easily defeated by merely turning on a second factor. They went on to mention that the era of the password is seemingly coming to an end. Though there has been a push in recent years to force a user to make the most complicated password, many times the password is irrelevant due to the types of automated attacks that are being launched. Let's take a look at a few of the more popular hacks.

Credential Stuffing

In this hack, a fraudster merely buys your information from a site that was previously breached. We've mentioned this site before that tells you if your information is floating out there (it probably is) and if a hacker obtains your old credentials on a hacked site, they may just try it on a bunch of other platforms. And unless you use a different password for each site (you probably don't) you could be in a world of hurt without multi-factor. This attack accounts for 20 million attempts a day on Microsoft alone.


“Hey there it's IT, insert your credentials here and we'll upgrade your laptop to a new MacBook Pro.”Psych.It's not IT. It's a hacker and you just gave them your work log-in, that you probably use for social media and your bank accounts too…hope you have 2FA on. (Also you don't get the new MacBook...sorry pal)

Keystroke Logging/Local discovery/Brute Force/Extortion

These are all slightly less common attempts that you are more likely to see in a spy movie. Keystroke logging would discover your password by installing some sort of malware on your device. Local discovery would be someone walking by your desk and seeing a password written down. Brute force uses an algorithm to try millions of password combinations and well…you probably know what extortion is.However! All of these can be thwarted with 2FA, so if you are involved in ANY shady dealings, turn it on!

Password Spray

Password spray accounts for 16% of hacks, it happens when a fraudster finds a list of usernames and then just starts guessing easy passwords. I bet you felt pretty slick when you made your password “Password123!” to get around the uppercase/lowercase alphanumerical special character requirements. Turns out, it's pretty easy for an 8thgrader in his mom's basement to guess that and drain your crypto account unless of course you were using…


If you aren't using 2FA to prevent against account takeover at this point, you're just being reckless. If you aren't going to listen to me, take it from Google and Microsoft (heard of them?) 2FA is simply the best way to protect against account takeover. Click here to find out how TeleSign can keep you safe.

Talk To An Expert

Interested in learning about how TeleSign's identity and engagement solutions can prevent fraud while fostering secure and global growth for your business? Let's chat.