MFA Fatigue: Multi-Factor Authentication (MFA) is best practice, but it’s not risk free.

Unfortunately, obtaining any username and password is child’s play for cyber-criminals, who use various methods to gather this data, including phishing, malware, or purchasing them on the dark web.

To offset this risk, best practice is to always use multi-factor authentication (MFA). This is the process of needing more than one piece of information to log in to a secure website or service, so users are prevented from logging in without first entering additional verification such as a one-time pin or biometric ID. Often MFA is set up as a push notification to a user’s phone, they then must click to approve or decline. The idea being that if someone else manages to obtain the log in information they will not actually be able to complete the process without this additional step.

The risk of MFA Fatigue

So, what is MFA fatigue? It is the risk of a user hitting ‘approve’ on an MFA device without checking first that it is something which should be authorised.  With so many different log-in credentials and so many applications using MFA there is a worrying rise in people becoming less vigilant. Hackers rely on this haste, distractedness, or lack of focus to gain access to your software, with your MFA approval, without your knowledge! While hackers can use numerous other methods to bypass multi-factor authentication, most involve more complicated malware or phishing attack frameworks.

An MFA fatigue attack is when a hacker runs a script that attempts to log in over and over, sending constant MFA push requests to the account owner’s device. Ultimately, the account holder gets so overwhelmed or frustrated that they click on the ‘Approve’ button to simply stop the constant notifications they are receiving. 

If you do receive constant requests for MFA, but you know you have not attempted a log in, please decline and contact the IT admin or support company for your organisation. After discussion with IT and/or your line manager you should change the password for your account to prevent the hacker from continuing to generate MFA requests.

This type of social engineering has proven to be very successful when breaching large and well-known organisations, such as MicrosoftCisco, and now Uber.

A vital message for everyone to understand when it comes to MFA, is that nothing or no one will generate the need for an app or phone approval other than you – ever! If you get prompted or asked via email or messaging, please ALWAYS ignore the request and report the incident.

Awareness Training

Your staff are your first line of defence against cybercrime, they are your human firewall.  If they do not feel confident in cybersecurity awareness and following the correct procedures, they can become your biggest weakness.  Phish Threat testing and consistent cybersecurity awareness training will help your staff understand the threat of cybercrime, detect threats and shut them down before they become an expensive problem. Read more about training for your staff here.

cybersecurity team working at ramsac offices

Did you know cyber training is mandated?

The Information Commissioners Office (ICO) is the UK body that is responsible for prosecuting organisations that fail to keep data safe. In December 2021, the ICO issued new guidance saying that they expected that all staff and volunteers that have access to data, should receive cyber awareness training as part of their induction, and before they are given such access. Furthermore, they mandate that training should be ongoing for all employees, and that an organisation should be able to demonstrate completion of training and management of non-attendees.

Related Posts

  • Understanding Data Exposure Risk in SharePoint and OneDrive

    Understanding Data Exposure Risk in SharePoint and OneDrive

    CybersecurityMicrosoft 365Technical Blog

    As the way we work continues to evolve, proactively managing data exposure in SharePoint and OneDrive is essential to safeguard sensitive information and maintain trust in an AI-driven world. [...]

    Read article

  • Cyber Essentials: Transitioning from the Montpelier to Willow Question Set

    Cyber Essentials: Transitioning from the Montpelier to Willow Question Set

    Cybersecurity

    Cyber Essentials is evolving, on April 28, 2025, the Willow question set will replace Montpelier. Discover what’s changing, how it affects your certification, and how ramsac can help you [...]

    Read article

  • How to know if a Microsoft security alert is real

    How to know if a Microsoft security alert is real

    CybersecurityMicrosoft 365

    Microsoft security alert emails help you to know if someone is potentially trying to illegally access your Microsoft account. However, scammers and cybercriminals are well aware of this and [...]

    Read article

  • Infographic: Cybersecurity protection vs home protection

    Infographic: Cybersecurity protection vs home protection

    Cybersecurity

    Just like protecting your home requires more than a single lock, your business needs multiple layers of cybersecurity to stay resilient. Discover how home security principles apply to cyber [...]

    Read article

  • Hacker Misconceptions: The Good, The Bad, and The Grey

    Hacker Misconceptions: The Good, The Bad, and The Grey

    Cybersecurity

    When you hear the word hacker, you probably think of criminals in dark hoodies, but the reality is far more complex—some hackers protect us, some exploit us, and some [...]

    Read article

  • Social Engineering: The 7 most common tricks cybercriminals use (and how to stop them)

    Social Engineering: The 7 most common tricks cybercriminals use (and how to stop them)

    Cybersecurity

    Discover the top 7 social engineering tricks cybercriminals use to manipulate people into giving away sensitive information, and learn practical steps to protect yourself and your organisation from these [...]

    Read article

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?