While the awareness of cybersecurity threats has risen substantially in recent years, use of one of the most basic but powerful tools for preventing attacks remains far too low, Microsoft said in a report released today.

Multifactor authentication (MFA) continues to have modest adoption—despite the proven effectiveness of requiring multiple forms of authentication at log-in, the company said in its inaugural “Cyber Signals” report. New statistics released in the report show that just 22% of Azure Active Directory identities utilize “strong” authentication in the form of MFA. The remaining 78% of Azure AD identities require only a username and password to authenticate, Microsoft disclosed.

This level of MFA adoption—paired with the fact that identity-focused attacks are surging—points to a “dangerous mismatch” in the battle between cyber defenders and attackers, Microsoft said. (The company said it has not released this type of statistic previously and did not have comparison data immediately available for previous years.)

The company explains that its Azure AD identity service spans more than 1.2 billion identities, with more than 8 billion authentications taking place per day.

Growing threat

In an interview with VentureBeat, Vasu Jakkal, corporate vice president of security, compliance, and identity at Microsoft, said the company has seen “an exponential increase in identity attacks.” In 2021 alone, Microsoft blocked more than 25.6 billion attempts to break into accounts of enterprise customers using brute-force password attacks, the company’s report said.

Infamously, compromised credentials were at the heart of the SolarWinds breach — and are also the root of most ransomware attacks — making identity the “new battleground” in cybersecurity, Microsoft said.

There are now hundreds of identity-focused attacks happening per second, Jakkal said. And such attacks have become “prolific” because they’re easy to do and potentially lucrative — and also because attackers understand the majority of accounts aren’t secured with MFA, she said.

Thus, the “dangerous mismatch” in the security battle is that “the attacks are increasing, but the preparation is not there yet,” Jakkal said.

While updating patches, using detection to spot attacks in progress, and moving to a zero trust posture are all important for preparation, MFA is undoubtedly the “first line of defense,” Jakkal said. And by using it, “we believe that the majority of attacks can be prevented,” she said.

As an example, Microsoft reported last month that it had uncovered a major new phishing campaign that used a novel tactic, device registration — but it was mainly successful in cases where MFA was not being used to secure accounts. MFA “foiled the campaign for most targets. For organizations that did not have MFA enabled, however, the attack progressed,” Microsoft said in a post.

Barriers to adoption

Some organizations are no doubt reluctant to move to MFA because it does require change, she said. Users must adjust to the extra steps that are involved in authenticating with MFA. For some, the potential inconvenience of the MFA user experience is seen as a barrier to adoption.

However, businesses can also look at deploying passwordless authentication as one of the factors for MFA, relieving users of the burden involved with passwords, Jakkal said.

Passwordless methods — which in the Microsoft universe include the Microsoft Authenticator app and Windows Hello facial recognition — can help by “removing one inconvenience,” she said. “We’re hoping that it’s making the experience seamless so that we can have better traction with adoption of MFA.”

Ultimately, if identity is the battleground now in cybersecurity, tools such as MFA are only going to become more essential going forward, according to Jakkal. Without MFA to help defend against the onslaught of identity-based attacks, “it’s an asymmetric battle that we’re fighting,” she said.

Of course, “it has been a journey” even getting to this level of MFA adoption, Jakkal said. “It used to be a lot lower before the pandemic.”

But to fully and effectively defend against growing cyberthreats, “we just need to accelerate that a whole lot faster,” she said. “My wish is that everybody turns on the MFA.”