Skip to content

97% of Office 365 users don’t use MFA

Cyber education

12:00 Saturday, 31 October 2020

UK Cyber Security Council

A survey by CoreView has revealed that 97% of user of the Microsoft 365 suite do not use Multi-Factor Authentication (MFA), and that 78% of administrators do not have MFA activated.

MFA is known to be fallible. For example, MFA implementations that rely on SMS text messages are potentially susceptible to hacks on the mobile phone networks over which the text messages travel.

However, MFA is widely recommended as one of the best means of mitigating security risks, particularly when connecting to private organisational systems from the internet and when using cloud services. Microsoft claims that MFA can prevent over 99% of account compromise attacks (that is, attacks in which an individual’s username and password become known to an attacker).

The guidance from the National Cyber Security Centre (NCSC) makes four clear statements regarding MFA:

  • administrators of any system or service, internet-connected or otherwise, should always use MFA.
  • when choosing an internet-connected or cloud service, select on that enforces MFA and make sure everyone – users and administrators – is made to use MFA.
  • be extremely cautious before agreeing the use of a service that does not support MFA.