Microsoft: 99.9% of compromised accounts did not use multi-factor

z3r010 · 10 Mar 2020

My favourite method for 2FA is my Yubikey I just wish more places would offer it as an option.

Andrew129260 · 10 Mar 2020

TairikuOkami said:

I do not, I only use it, when it is forced, like on steam. I use Password123 on 95% of my accounts, just for fun. 3 times it has been stolen according to haveibeenpwned and not a single account was ever hacked. One of the reason I do not like Microsoft is, that it keeps record of previous passwords. I had to change it once and it did not allow me to reuse Password123 afterwards, not even Password321, it was against password policy.

Well......that is certainly interesting....definitely no harm in posting that whatsoever. /s

I can't even begin with how messed up this statement is.

z3r010 said:

My favourite method for 2FA is my Yubikey I just wish more places would offer it as an option.

Just checked them out, looks like they do work already with a lot of things I use. Will probably look into this, thanks

Golden · 10 Mar 2020

Yubikey and the Google Titan key are probably the best 2FA you could use

Andrew129260 · 10 Mar 2020

Golden said:

Yubikey and the Google Titan key are probably the best 2FA you could use

yes, I use my phone as the hardware token. That works well. But I have been thinking about getting an actual security key.

kjlkjadfasdfasd · 10 Mar 2020

Golden said:

Yubikey and the Google Titan key are probably the best 2FA you could use

They are the ultimate, but for now they have limited usefulness for most accounts. I say that because for many accounts, you cannot explicitly require a security key as the only 2nd factor or you can do an account recovery that essentially bypasses it. Many accounts that will let you use them will fall back to another option if the key is not available, and there is no opting out of that.

Microsoft is this way, for example. If I enable a security key on an MS account and I lose my key, I can still get in another way. It's this 'account recovery' that is the weak link for pretty much everyone.

Google's Advanced Threat Protection is the only email offhand I can think of where they require the key, no exceptions. It's pretty easy to use -- I tried it once. It doesn't really noticeably change the end-user experience.

Golden · 10 Mar 2020

kjlkjadfasdfasd said:

Microsoft is this way, for example. If I enable a security key on an MS account and I lose my key, I can still get in another way. It's this 'account recovery' that is the weak link for pretty much everyone.

Yes, that is a valid concern. My understanding is that some services (I believe Bitwarden might be one) allow you to forgo a second authentification option, but that option is generally far and few between on many services unfortunately.