Microsoft Reports 92% User Adoption Rate for Phishing-Resistant MFA

Posted on by

More than nine in ten Microsoft corporate users must now use phishing-resistant multifactor authentication (MFA) to sign in, according to the tech giant.

On April 21, Microsoft released its second update report for the Secure Future Initiative (SFI), a company-wide initiative launched by the firm’s CEO, Satya Nadella, in November 2023, aiming to set cybersecurity as a top priority across the board.

One of the main highlights was the adoption rate of MFA, with 92% of employee productivity accounts now using phishing-resistant MFA.

This is “a significant milestone in protecting against social engineering and credential-based attacks,” Microsoft said.

Progress in Security by Design and Security Governance

The SFI was launched on the heels of a July 2023 attack by a China-based nation-state actor, Storm-0558, which targeted identity access and a subsequent Russian nation-state actor attack attributed to Midnight Blizzard – also known as Cozy Bear and APT29.

Read more on APT29: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure

In an exclusive interview with Infosecurity, Vasu Jakkal, Corporate Vice President of Microsoft Security, said of the launch of the SFI: “We recognized the need to change our security approach and to make it a priority.”

She continued: “For us, it was a cultural transformation as much as a technological one because there is no way the security team can secure everything. You need every single employee at Microsoft to follow best practices, ensuring that we design code that is secure and so on. We’ve revised our company incentives and made security a co-priority for every employee.”

Microsoft has shared progress made by the SFI around its three transversal missions:

  • Make progress in Secure by Design, Default and in Operations. Security-focused tools and training: New UX toolkit; security reviews for AI development; and training for 50,000 employees
  • Adopt a company-wide security-first mindset. Security is now a core priority tied to employee performance reviews, with 99% of employees completing security courses
  • Achieve stronger security governance to manage enterprise-wide risk. New governance structure, Deputy CISOs, and enterprise-wide risk inventory to improve security risk visibility and accountability

Five out of 28 of Microsoft’s Security Objectives Almost Complete

Alongside the transversal missions, Microsoft built the SFI around 28 measurable objectives across six pillars:

  1. Protect identities and secrets
  2. Protect tenants and isolate production systems
  3. Protect networks
  4. Protect engineering systems
  5. Monitor and detect threats
  6. Accelerate response and remediation

According to its latest update, the company has made substantial headway on the 28 objectives, with five nearing completion and 11 achieving significant progress, while continuing to advance on those remaining.

The same day Microsoft published the report, the company announced having organized its inaugural Zero Day Quest event, which awarded over $1.6m for vulnerability submissions. 

The report also comes a week after Microsoft was observed subtly rolling out Recall, its controversial functionality that periodically captures desktop snapshots and stores them in a local repository, to the Windows 11 Release Preview channel for Copilot+ PCs.