MFA Fatigue: Multi-Factor Authentication (MFA) is best practice, but it’s not risk free.
Posted on February 6, 2024 by Kayleigh Wilkinson
Unfortunately, obtaining any username and password is child’s play for cyber-criminals, who use various methods to gather this data, including phishing, malware, or purchasing them on the dark web.
To offset this risk, best practice is to always use multi-factor authentication (MFA). This is the process of needing more than one piece of information to log in to a secure website or service, so users are prevented from logging in without first entering additional verification such as a one-time pin or biometric ID. Often MFA is set up as a push notification to a user’s phone, they then must click to approve or decline. The idea being that if someone else manages to obtain the log in information they will not actually be able to complete the process without this additional step.
The risk of MFA Fatigue
So, what is MFA fatigue? It is the risk of a user hitting ‘approve’ on an MFA device without checking first that it is something which should be authorised. With so many different log-in credentials and so many applications using MFA there is a worrying rise in people becoming less vigilant. Hackers rely on this haste, distractedness, or lack of focus to gain access to your software, with your MFA approval, without your knowledge! While hackers can use numerous other methods to bypass multi-factor authentication, most involve more complicated malware or phishing attack frameworks.
An MFA fatigue attack is when a hacker runs a script that attempts to log in over and over, sending constant MFA push requests to the account owner’s device. Ultimately, the account holder gets so overwhelmed or frustrated that they click on the ‘Approve’ button to simply stop the constant notifications they are receiving.
If you do receive constant requests for MFA, but you know you have not attempted a log in, please decline and contact the IT admin or support company for your organisation. After discussion with IT and/or your line manager you should change the password for your account to prevent the hacker from continuing to generate MFA requests.
This type of social engineering has proven to be very successful when breaching large and well-known organisations, such as Microsoft, Cisco, and now Uber.
A vital message for everyone to understand when it comes to MFA, is that nothing or no one will generate the need for an app or phone approval other than you – ever! If you get prompted or asked via email or messaging, please ALWAYS ignore the request and report the incident.
Awareness Training
Your staff are your first line of defence against cybercrime, they are your human firewall. If they do not feel confident in cybersecurity awareness and following the correct procedures, they can become your biggest weakness. Phish Threat testing and consistent cybersecurity awareness training will help your staff understand the threat of cybercrime, detect threats and shut them down before they become an expensive problem. Read more about training for your staff here.
Did you know cyber training is mandated?
The Information Commissioners Office (ICO) is the UK body that is responsible for prosecuting organisations that fail to keep data safe. In December 2021, the ICO issued new guidance saying that they expected that all staff and volunteers that have access to data, should receive cyber awareness training as part of their induction, and before they are given such access. Furthermore, they mandate that training should be ongoing for all employees, and that an organisation should be able to demonstrate completion of training and management of non-attendees.
