Multifactor Authentication Prevents 99.9% of Cyber Attacks


Experts from Microsoft, Google, and elsewhere suggest that users who enable multi-factor authentication (MFA) for their accounts end up blocking 99.9% of automated aka bot attacks. DriveStrike proudly supports MFA and highly encourages you to use it everywhere you can!

If a service provider supports multi-factor authentication, we recommend using it, even if the secondary authentication is as simple as SMS-based one-time passwords.

Several security studies show that automated security attacks (the vast majority of cyber attacks) fail when MFA is in place and the cost for attackers rises exponentially as the barriers to their malicious attempts increase.

Google reported “Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” View the article here.

Complex and Long Passwords don’t work as well anymore

Inexpensive powerful computing is pervasive which means hackers have access to a vast arsenal of cyber weapons. The old advice of “don’t use a breached password” (lists are available at or “use really long complicated passwords” doesn’t help as much anymore.

Cybersecurity experts have proven that despite blocking leaked credentials or enforcing complex long passwords, hackers continue to compromise accounts at an alarming rate.

Consider, the various methods hackers use to compromise users’ credentials, in most cases, the password and its complexity doesn’t matter.

Sign Up Now For a Free 30 Day Trial



AKA . . .


Difficulty: Mechanism

User assists attacker by . . .

Does your password matter?

Credential Stuffing

Breach replay, list cleaning

Very high – 20+M accounts probed daily

Very easy: Purchase creds gathered from breached sites with bad data at rest policies, test for matches on other systems. List cleaning tools are readily available.

Reusing passwords on more than one account. More than 50% of users reuse their passwords for other systems.

No – attacker has exact password.


Man-in-the-middle, credential interception

Very high. ½% of all inbound mails.

Easy: Send emails that promise entertainment or threaten, and link user to cloned site for sign-in. Capture credentials in the process.

People are busy, distracted, curious or worried and drop their guard.

No – user gives the password to the attacker

Keystroke logging

Malware, sniffing


Medium: Malware records and transmits everything you enter on the keyboard including usernames and passwords entered.

Visiting insecure websites, downloading unvetted software, failing to run virus scans regularly

No – malware captures and sends everything typed.

Local discovery

Dumpster diving, physical recon, network scanning.


Difficult: Search office or journal for written passwords. Network scan for open shares. Scan for creds in code or maintenance scripts.

Writing passwords down  too many to remember; using passwords for other accounts

No – exact password discovered.


Blackmail, Insider threat

Very low.

Difficult: Threaten to harm or embarrass unless they give up the goods.

Failing to report.

No – exact password disclosed

Password spray

Guessing, hammering

Very high Millions probed daily.

Trivial: Use easily acquired user lists, attempt the same password over a very large number of usernames and accounts. Throttle speed and distribute across many IPs to hamper detection. Tools are everywhere and inexpensive.

Using common or compromised passwords.

No, with enough time the password is compromised

Brute force

Database extraction, cracking

Very low.

Varies: Penetrate network to extract files. Perform hash cracking on password. Difficulty varies with encryption used.


No, with enough time the password is compromised

Enabling multi-factor authentication blocks 99.9% of these unauthorized login attempts, even if hackers have your current password. Why, because they not only need the password but now a secondary credential that expires. The MFA model requires they figure out your password and the additional security protocol (passcode) and the secondary code must be solved within a few minutes before it changes yet again.

Capturing or compromising MFA tokens is very rare and very expensive. In most cases organizations or malicious actors using these tools only do so for very high value targets.

Bottom line – use Multifactor Authentication to protect your accounts and protect your mobile devices with DriveStrike in case it is lost or stolen you can remotely wipe the device(s) that displays or accesses your MFA credentials!

About Spearstone

Spearstone, 2008 Digital IQ award recipient for IT Security, is a software development company with enterprise customers that include Wells Fargo, Pearson Learning, Logitech, Spacelabs, Sony and RemedyMD. Spearstone’s DriveStrike product provides data breach protection for computers and smartphones, including remote wipe and mobile device management.