MFA Fatigue: Multi-Factor Authentication (MFA) is best practice, but it’s not risk free.

Unfortunately, obtaining any username and password is child’s play for cyber-criminals, who use various methods to gather this data, including phishing, malware, or purchasing them on the dark web.

To offset this risk, best practice is to always use multi-factor authentication (MFA). This is the process of needing more than one piece of information to log in to a secure website or service, so users are prevented from logging in without first entering additional verification such as a one-time pin or biometric ID. Often MFA is set up as a push notification to a user’s phone, they then must click to approve or decline. The idea being that if someone else manages to obtain the log in information they will not actually be able to complete the process without this additional step.

The risk of MFA Fatigue

So, what is MFA fatigue? It is the risk of a user hitting ‘approve’ on an MFA device without checking first that it is something which should be authorised.  With so many different log-in credentials and so many applications using MFA there is a worrying rise in people becoming less vigilant. Hackers rely on this haste, distractedness, or lack of focus to gain access to your software, with your MFA approval, without your knowledge! While hackers can use numerous other methods to bypass multi-factor authentication, most involve more complicated malware or phishing attack frameworks.

An MFA fatigue attack is when a hacker runs a script that attempts to log in over and over, sending constant MFA push requests to the account owner’s device. Ultimately, the account holder gets so overwhelmed or frustrated that they click on the ‘Approve’ button to simply stop the constant notifications they are receiving. 

If you do receive constant requests for MFA, but you know you have not attempted a log in, please decline and contact the IT admin or support company for your organisation. After discussion with IT and/or your line manager you should change the password for your account to prevent the hacker from continuing to generate MFA requests.

This type of social engineering has proven to be very successful when breaching large and well-known organisations, such as MicrosoftCisco, and now Uber.

A vital message for everyone to understand when it comes to MFA, is that nothing or no one will generate the need for an app or phone approval other than you – ever! If you get prompted or asked via email or messaging, please ALWAYS ignore the request and report the incident.

Awareness Training

Your staff are your first line of defence against cybercrime, they are your human firewall.  If they do not feel confident in cybersecurity awareness and following the correct procedures, they can become your biggest weakness.  Phish Threat testing and consistent cybersecurity awareness training will help your staff understand the threat of cybercrime, detect threats and shut them down before they become an expensive problem. Read more about training for your staff here.

cybersecurity team working at ramsac offices

Did you know cyber training is mandated?

The Information Commissioners Office (ICO) is the UK body that is responsible for prosecuting organisations that fail to keep data safe. In December 2021, the ICO issued new guidance saying that they expected that all staff and volunteers that have access to data, should receive cyber awareness training as part of their induction, and before they are given such access. Furthermore, they mandate that training should be ongoing for all employees, and that an organisation should be able to demonstrate completion of training and management of non-attendees.

Related Posts

  • Inherent risk vs residual risk: What’s the difference?

    Inherent risk vs residual risk: What’s the difference?


    Inherent risk and residual risk are key elements of any effective risk management process designed to strengthen cybersecurity defences and protect your company’s data. Read on. [...]

    Read article

  • What is cybersecurity monitoring? How important is it in 2024?

    What is cybersecurity monitoring? How important is it in 2024?


    Cybersecurity monitoring is the continuous surveillance of digital systems to detect and respond to security threats and data breaches in real-time. Discover how cybersecurity monitoring software can protect your [...]

    Read article

  • Examples of sensitive data in your organisation

    Examples of sensitive data in your organisation


    Any confidential information that’s stored, processed, or managed by an organisation or individual is classified as sensitive data. Read our sensitive data examples today. [...]

    Read article

  • How to set up a secure password policy in Microsoft 365

    How to set up a secure password policy in Microsoft 365


    Discover the essentials of a robust password policy for cybersecurity in Microsoft 365. Learn what to include and what to avoid. Read the blog today. [...]

    Read article

  • A guide to sensitivity labels and how to apply them

    A guide to sensitivity labels and how to apply them


    Sensitivity labels allow you to manage, organise, and protect sensitive emails, files, and documents as part of the Microsoft 365 suite. Read on. [...]

    Read article

  • MFA vs 2FA: What’s the Difference?

    MFA vs 2FA: What’s the Difference?


    Features like user facial recognition that are difficult to replicate means multi-factor authentication offers more cybersecurity layers than two-factor authentication. Find out more. [...]

    Read article

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?