Microsoft says MFA is secure, the FBI says it isn't. They're saying the same thing.

October is turning out to be an interesting month in multi-factor authentication (MFA). Microsoft published the results of an internal survey that showed that MFA is more than 99.9% effective. A week later, a memo came to light in which the FBI warned its partners that MFA alone is not secure. Here’s why they’re actually both saying the same thing.

In a great post titled “All your creds are belong to us,” Alex Weinert published internal findings from research at Microsoft. He really lays out the different methods of authentication, and the types of multi-factor authentication including their strengths and weaknesses. There’s a lot of interesting information in there. This is the take-away: the rate of account takeover for accounts protected by any form of MFA is less than 0.1%.

Screen Shot 2019-10-11 at 3.04.13 PM.png

Then a memo from the FBI came to light (it was actually sent out in September), a Private Industry Notification to their commercial partners, indicating that “The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks.” The notification lists 5 approaches that they have come across whereby MFA was compromised, from hacking around it, to SIM-jacking, social engineering, and Man-in-the-middle attacks. They recommend educating users about attack methods and deploying behavioral biometrics to mitigate these threats.

So how can these two organizations be saying the same thing? We’re missing something here.

What they actually said is that less than 1 in 1000 accounts protected by MFA are compromised, but some attacks are getting through. Another data point released by Microsoft is that less than 10% of their Enterprise customers have enabled two-factor or multi-factor authentication. These are not individual consumers, but corporate Enterprise customers, so this is really surprising. What we know, is that it’s the friction to users that is holding the adoption of MFA back. This brings the FBI’s recommendation of incorporating behavioral biometrics into context.

Behavioral Biometrics is not another form of MFA. It’s a biometric, like a fingerprint scan, but different from a fingerprint scan in that it doesn’t make the user do anything, and can therefore be used continuously without any impact on the user experience. It doesn’t replace MFA, but when added to MFA as the FBI recommends, it eliminates the need for repeated MFA challenges. Essentially, it uses a continuous biometric to repeatedly validate the session, ending it only when the user is no longer the authorized user. A behavioral biometric-enhanced infrastructure only uses MFA to learn to recognize a new user, and to block an attacker, rather than as the primary input to the decision to grant or revoke access.

The reason why less than 10% of Enterprise customers do not enable MFA, is because MFA is annoying, and the friction of extra authentication steps reduces job satisfaction and productivity. But following the FBI’s recommendations, behavioral biometrics can reduce that friction while elevating security and reducing the risk of breach. This is our mission at TWOSENSE.AI and our products do exactly that for our US DoD and Enterprise customers.

John Tanios