Is Multifactor Authentication Less Effective Than It Used to Be?

Online threats are constantly evolving, so it’s often difficult, even counterproductive, to compare how useful a security control is in today’s threat environment to the threat environment of a few years ago. We just recently received some new data from Google suggesting that multifactor authentication may not be as useful now as it once was—but that doesn’t mean you shouldn’t use it. In its 2019 study of user accounts that had two-step verification enabled, Google found that SMS-based multifactor authentication, in which the second factor is a code sent to the user via text message, successfully blocked 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks. In 2020, Microsoft also reinforced the effectiveness of multi-factor authentication by announcing at the RSA security conference that 99.9 percent of the compromised accounts it tracked didn’t use multifactor authentication. Even if it is the case that attackers are getting better at bypassing multifactor authentication, that doesn’t mean that it’s not a useful tool or we shouldn’t be using it—we absolutely should.