How effective is multifactor authentication at deterring cyberattacks?

TL;DR

This study evaluates the effectiveness of multifactor authentication (MFA) in preventing unauthorized access to commercial accounts, showing that MFA significantly reduces compromise risk, especially when using dedicated apps like Microsoft Authenticator.

Contribution

The paper provides empirical evidence on MFA's security performance in real-world commercial account scenarios, highlighting the superior effectiveness of dedicated MFA apps over SMS-based methods.

Findings

Over 99.99% of MFA-enabled accounts remained secure.

MFA reduces risk of compromise by 99.22%.

Dedicated MFA apps outperform SMS-based authentication.

Abstract

This study investigates the effectiveness of multifactor authentication (MFA) in protecting commercial accounts from unauthorized access, with an additional focus on accounts with known credential leaks. We employ the benchmark-multiplier method, coupled with manual account review, to evaluate the security performance of various MFA methods in a large dataset of Microsoft Azure Active Directory users exhibiting suspicious activity. Our findings reveal that MFA implementation offers outstanding protection, with over 99.99% of MFA-enabled accounts remaining secure during the investigation period. Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials. We further demonstrate that dedicated MFA applications, such as Microsoft Authenticator, outperform SMS-based authentication, though both methods provide significantly enhanced security compared to not using MFA. Based on these results, we strongly advocate for the default implementation of MFA in commercial accounts to increase security and mitigate unauthorized access risks.