MFA Fatigue: Multi-Factor Authentication (MFA) is best practice, but it’s not risk free.

Unfortunately, obtaining any username and password is child’s play for cyber-criminals, who use various methods to gather this data, including phishing, malware, or purchasing them on the dark web.

To offset this risk, best practice is to always use multi-factor authentication (MFA). This is the process of needing more than one piece of information to log in to a secure website or service, so users are prevented from logging in without first entering additional verification such as a one-time pin or biometric ID. Often MFA is set up as a push notification to a user’s phone, they then must click to approve or decline. The idea being that if someone else manages to obtain the log in information they will not actually be able to complete the process without this additional step.

The risk of MFA Fatigue

So, what is MFA fatigue? It is the risk of a user hitting ‘approve’ on an MFA device without checking first that it is something which should be authorised.  With so many different log-in credentials and so many applications using MFA there is a worrying rise in people becoming less vigilant. Hackers rely on this haste, distractedness, or lack of focus to gain access to your software, with your MFA approval, without your knowledge! While hackers can use numerous other methods to bypass multi-factor authentication, most involve more complicated malware or phishing attack frameworks.

An MFA fatigue attack is when a hacker runs a script that attempts to log in over and over, sending constant MFA push requests to the account owner’s device. Ultimately, the account holder gets so overwhelmed or frustrated that they click on the ‘Approve’ button to simply stop the constant notifications they are receiving. 

If you do receive constant requests for MFA, but you know you have not attempted a log in, please decline and contact the IT admin or support company for your organisation. After discussion with IT and/or your line manager you should change the password for your account to prevent the hacker from continuing to generate MFA requests.

This type of social engineering has proven to be very successful when breaching large and well-known organisations, such as MicrosoftCisco, and now Uber.

A vital message for everyone to understand when it comes to MFA, is that nothing or no one will generate the need for an app or phone approval other than you – ever! If you get prompted or asked via email or messaging, please ALWAYS ignore the request and report the incident.

Awareness Training

Your staff are your first line of defence against cybercrime, they are your human firewall.  If they do not feel confident in cybersecurity awareness and following the correct procedures, they can become your biggest weakness.  Phish Threat testing and consistent cybersecurity awareness training will help your staff understand the threat of cybercrime, detect threats and shut them down before they become an expensive problem. Read more about training for your staff here.

cybersecurity team working at ramsac offices

Did you know cyber training is mandated?

The Information Commissioners Office (ICO) is the UK body that is responsible for prosecuting organisations that fail to keep data safe. In December 2021, the ICO issued new guidance saying that they expected that all staff and volunteers that have access to data, should receive cyber awareness training as part of their induction, and before they are given such access. Furthermore, they mandate that training should be ongoing for all employees, and that an organisation should be able to demonstrate completion of training and management of non-attendees.

Related Posts

  • Happy Birthday secure+: How our cybersecurity solution has detected over 8000 cybersecurity alerts in one year

    Happy Birthday secure+: How our cybersecurity solution has detected over 8000 cybersecurity alerts in one year

    Cybersecurity

    secure+ has detected and responded to over 8000 security alerts in its first year [...]

    Read article

  • Data Protection Day – Protecting your information on social media.

    Data Protection Day – Protecting your information on social media.

    Cybersecurity

    The 28th of January is Data Protection day, to mark this day we have created a blog with tips on how people can keep their personal data safe on [...]

    Read article

  • Cybersecurity – The importance of Testing & Training

    Cybersecurity – The importance of Testing & Training

    Cybersecurity

    Many organisations offer cybersecurity training to their staff, but training and testing as a combined strategy provides a much stronger defence against cybercrime. [...]

    Read article

  • Man-in-the-Middle (MITM) attack – Cyber secure series

    Man-in-the-Middle (MITM) attack – Cyber secure series

    Cybersecurity

    Man-in-the-middle attacks mean an attacker has intercepted communications between two people and has altered them in some way. Learn more today. [...]

    Read article

  • Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK

    Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK

    Cybersecurity

    In this blog, we'll explore the concept of the ICO Regulatory Sandbox and its objectives in the data protection landscape in the UK [...]

    Read article

  • What is a break glass account?

    What is a break glass account?

    Cybersecurity

    If you’re creating a business continuity plan, have you considered a break glass account? Learn what one is and how to create one here. [...]

    Read article