While we strongly recommend that you put the security safeguard known as multi-factor authentication in place wherever it is available, it is important that we acknowledge that cybercriminals are frustratingly inventive. So much so, in fact, that a new form of attack has been developed to take advantage of MFA, referred to as MFA fatigue.
Let’s go over what an MFA fatigue attack is, and what you can do to fight back.
MFA Fatigue is a Very Specific Form of Social Engineering
Let me ask you a question: if one of the applications on your mobile device prompted you to log in once again, would you hesitate to do so? What if a notification appeared, asking you to confirm a two-factor authentication prompt? What if that notification kept appearing until you did, assuming that the system was just glitching?
This is precisely how MFA fatigue works.
The purpose behind MFA is to help keep your account secure even if your password has been compromised. By adding an additional proof to the required authentication process, MFA is supposed to make it harder for the person who compromised your password to actually access the account. However, when a cybercriminal puts in your credentials, you’ll still receive the prompt to confirm the login. Some of these threats even come in the form of SMS messages and voice calls to confuse the user further.
This brings us back to our initial question: would you question an authentication prompt, particularly if you were trying to do something else, especially if it kept popping back up again and again?
The cybercriminals responsible are betting that you won’t.
There are a few clear and unmistakable warning signs that an MFA fatigue attack is afoot:
- If you receive approval requests without attempting to log into an application.
- If you receive multiple requests from a single application.
- If you receive authentication request notifications at odd hours.
How to Take the Teeth Out of MFA Fatigue
Fortunately, there are a few things you can do to help limit the efficacy of MFA attacks. A strong password is a great starting point, so long as you keep it secure. You and your team also need to be more cognizant of when you are receiving an MFA prompt and whether or not you requested it, denying all of those that are unidentified.
Limiting the number of attempts you can make through your MFA solution of choice within a predetermined time is also a helpful precaution.
Twintel has grown into an expansive, full team of IT services professionals, acting as the outsourced IT department of non-profits, small to mid-size businesses, and enterprise-level corporations in Orange County, across California, and nationally.
Today, it’s the strength and deep expertise of the Twintel team that drives positive outcomes for clients. Each of the support staff, technicians, and engineers works diligently each day to make sure that the companies served have the seamless, secure, and stable IT environments needed to allow them to pursue their organizational objectives.