You have been warned. Your Google and Microsoft passwords are under attack, with leaked or stolen credentials the likely way hackers will gain access to your account. Both have issued warnings with clear calls to action. But not enough users are listening.
“Attackers are intensifying their phishing and credential theft methods, which drive 37% of successful intrusions,” Google warns, again pushing passkeys as the best solution to “defend against account takeovers.”
Meanwhile, in its new Digital Defense Report, Microsoft says “even when attackers possess valid usernames and passwords, multi-factor authentication (MFA) blocks access in over 99% of cases.” I first reported that Microsoft 99% MFA stat in 2019. And yet, six years later, a Google study says less than half of all users have enabled MFA.
Rarely a week goes by without reports of credential attacks by way of phishing emails or smishing texts, or infostealer malware. Just to highlight that stat again. If you enable MFA, it doesn’t matter if your password is stolen. Attackers can’t access your account.
Back in 2019, Microsoft said “MFA is the least you can do if you are at all serious about protecting your accounts,” confirming that “the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
And yet, here we are. The 99% stat has stayed the same. But unfortunately so has the alarmingly low take-up of MFA in any of its forms. What has changed is that SMS is now inadvisable for MFA. But instead you have easy-to-use password managers (do not use browser-based ones) and free and readily available authenticator apps.
What has also changed is the deployment of passkeys. Both Google and Microsoft recommend their use on all accounts where’re they’re available. These combine passwords and MFA in to a single sign-on that uses your hardware security to assure your account identity. If an attacker doesn’t have your hardware, they can’t get in.
Microsoft warns “on average, each compromised username appeared in three separate logs, highlighting the magnitude of the global credential leak problem.” These days, you have to assume your passwords have leaked and your accounts are at risk.
Despite the widespread availability of passkeys, that same Google study warns that little over a third of all users have enabled them. It takes just seconds. Google and Microsoft instructions can be found via these links. Do it now.