Businesses and individuals relying on passwords alone to protect online accounts face a growing wave of automated attacks that exploit stolen credentials at scale. The Cybersecurity and Infrastructure Security Agency has stated that multi-factor authentication adds strong protection against account takeover by “greatly increasing the level of difficulty” for bad actors. A technical paper from the United Kingdom’s National Cyber Security Centre, drawing on Microsoft data covering billions of attacks, maps how credential stuffing, brute force, and phishing techniques succeed against password-only accounts but stall when a second authentication factor is present. The gap between protected and unprotected accounts is not marginal. It is the difference between routine compromise and effective defense.
Why a second authentication factor changes the calculus for attackers
Automated account-takeover campaigns depend on speed and volume. Attackers harvest credentials from data breaches, then feed millions of username-password pairs into bots that test them across banking portals, email services, and enterprise applications. When an account is secured only by a password, a single valid match grants full access. Adding a second factor, such as a one-time code or a hardware security key, forces the attacker to clear an additional barrier for every login attempt. That friction is enough to break the economics of large-scale automated campaigns, because the cost per successful takeover rises sharply while the yield per bot run drops.
CISA’s public guidance frames MFA as the control that keeps compromised passwords from becoming compromised accounts. In its advice on strong authentication, the agency describes MFA as a measure that makes unauthorized access far harder even after a password has been exposed, a position consistent with federal standards maintained by the National Institute of Standards and Technology. NIST’s small business guidance directs organizations to SP 800-63, its Digital Identity Guidelines, which define acceptable authenticator types and assurance levels for federal systems and serve as a reference for private-sector security teams.
The practical question for most organizations is not whether MFA works against automated attacks but which form of MFA to deploy. SMS-based codes stop simple credential-stuffing bots that have no mechanism to intercept text messages. Phishing-resistant methods, such as FIDO2 hardware keys, go further by binding the authentication to a specific device and origin, which blocks adversary-in-the-middle (AiTM) phishing that can capture one-time codes in transit. The NCSC’s technical paper explicitly maps AiTM phishing as a distinct attack technique and evaluates how different credential types hold up against it. That distinction matters: an attacker who can relay an SMS code in real time still fails against a hardware token that refuses to authenticate on a spoofed domain.
What Microsoft’s attack data and NCSC analysis reveal
The strongest public evidence for MFA’s effectiveness against automated takeover comes from the NCSC’s comparison of traditional and FIDO2 credentials, which draws on Microsoft telemetry covering billions of attacks. That dataset captures the full spectrum of opportunistic, high-volume automated traffic that most organizations face daily. The analysis groups attack methods into categories: credential harvesting, brute force, credential stuffing, and AiTM phishing. For each category, the paper evaluates how traditional passwords, passwords plus SMS codes, and FIDO2 credentials perform under real-world conditions.
Password-only accounts collapse under every category. Credential-stuffing bots succeed whenever a reused password matches, and brute-force tools crack weak passwords without human intervention. Adding any second factor blocks the bulk of these automated runs because the attacker must also obtain or intercept the additional credential. The separation between SMS-based MFA and phishing-resistant MFA becomes visible at the AiTM stage. An attacker running a reverse-proxy phishing kit can capture both the password and the SMS code as the victim enters them. FIDO2 keys, by contrast, perform a cryptographic handshake tied to the legitimate site’s domain, so a phishing proxy cannot replay the response. The NCSC paper treats this as a qualitative difference in security properties rather than a minor incremental gain.
A RAND Corporation research report referenced in the NCSC analysis adds institutional weight to these findings by examining authentication methods through a policy and usability lens. The convergence of operational telemetry from Microsoft, technical evaluation from NCSC, and policy analysis from RAND builds a layered case: MFA stops the vast majority of automated attacks, and phishing-resistant forms extend that protection to more sophisticated campaigns that can defeat weaker second factors. This triangulation is important for decision-makers who must justify investments in stronger authenticators against competing priorities.
Gaps in the public record on MFA effectiveness
Despite the strength of the available evidence, several questions remain open. Neither the NCSC paper nor CISA’s guidance publishes a precise percentage for the share of automated attacks blocked by MFA in the Microsoft dataset. The phrase “billions of attacks” establishes scale, but without a published success-rate breakdown by MFA type, organizations cannot calculate exact risk reduction when choosing between SMS codes and hardware keys. The hypothesis that phishing-resistant MFA reduces automated account-takeover success rates by at least an order of magnitude more than SMS-based MFA is consistent with the NCSC’s qualitative analysis, yet no primary source in the current public record provides a definitive numerical comparison.
Another gap involves real-world deployment patterns. Public sources describe how different authenticators behave under attack, but they say less about how often users enroll in stronger options when given a choice, or how frequently they fall back to weaker recovery methods such as email links or security questions. These practical details matter because an attacker will always target the weakest available path. A system that supports hardware keys but routinely resets accounts through unprotected channels may still be vulnerable, even if the primary login flow is robust.
The public record also has limited information on long-term attacker adaptation. Microsoft telemetry, as summarized by NCSC, shows how current attack tools fare against today’s MFA deployments. What remains unclear is how quickly criminal groups will invest in more advanced AiTM infrastructure, SIM-swap capabilities, or social engineering scripts as phishing-resistant MFA becomes more common. Historical experience with password policies suggests that adversaries eventually tune their tactics to match defender behavior. Without longitudinal data on MFA-specific adaptation, defenders must rely on conservative assumptions and layered controls.
Balancing usability, assurance, and implementation cost
Within these constraints, organizations still need to make practical choices. NIST’s digital identity work emphasizes that authentication strength must be balanced with usability and operational feasibility. For low-risk applications, SMS codes or app-based prompts may offer sufficient protection against commodity credential stuffing at a relatively low cost and with minimal user friction. For higher-risk systems-such as administrative consoles, financial platforms, or repositories of sensitive personal data-phishing-resistant authenticators are increasingly viewed as the baseline rather than an optional enhancement.
Implementation details can determine whether a theoretically strong MFA scheme delivers its promised protection. Enforcing MFA on all remote access paths, disabling legacy protocols that bypass modern authentication, and monitoring for anomalous login patterns are all necessary complements. Clear communication with users about why MFA is required, how to enroll, and how to handle lost devices reduces help-desk strain and discourages insecure workarounds. Organizations that treat MFA as a one-time technical project, rather than an ongoing program with training and monitoring, risk leaving gaps that automated attackers can still exploit.
Security teams can also look to established technical references for broader context. NIST’s extensive chemical data resources illustrate the agency’s general approach to publishing structured, peer-reviewed information for practitioners. While unrelated to authentication, that same emphasis on transparent, well-documented standards underpins the digital identity guidelines that inform many MFA deployments. Drawing on such vetted frameworks helps organizations avoid ad hoc choices driven solely by vendor marketing or anecdote.
A cautious but clear conclusion
Even with gaps in quantitative detail, the direction of the evidence is consistent. Password-only accounts are systematically vulnerable to automated takeover. Adding a second factor sharply reduces the success of credential stuffing and brute force attacks, and phishing-resistant authenticators further constrain adversaries who can intercept one-time codes. CISA’s guidance, NIST’s digital identity framework, and the Microsoft data analyzed by NCSC all point toward the same operational lesson: MFA, properly implemented, transforms account takeover from a routine outcome into an exception.
For organizations planning their next steps, the absence of perfect numbers should not be a reason for inaction. The available research supports a phased approach: mandate some form of MFA everywhere, prioritize phishing-resistant methods for high-value accounts, and continuously close gaps in enrollment, recovery, and monitoring. As more telemetry and formal studies emerge, defenders will be able to refine these choices. Until then, the weight of current evidence makes one conclusion difficult to escape: in a landscape dominated by automated attacks, relying on passwords alone is a strategic mistake, while moving decisively toward MFA is one of the clearest, most evidence-backed improvements available.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
