As with most IT Managed Service Providers and network administrators, we recommend users to use multi-factor authentication (MFA) for all their important accounts (i.e., Office 365, VPN, bank accounts, and pretty much everything in between).
MFA is usually done in one of three ways and often times the user can pick which one they want.
- A PUSH notification – which means you have the MFA app installed on your phone and when you login to the application your phone automatically pops up the option to APPROVE or DENY the login request.
- Revolving Token – which means you have the MFA application installed on your phone that creates a code called a revolving token. The typical 6-digit code changes every minute of so in the app hence ‘revolving’. When you login to an application with username and password, it asks you for the MFA token and you enter in that number from the phone app.
- Text or Email you a code – when you login to the application it sends a random number code to your email or text and you enter that code during the login process.
If you are following that advice and using MFA, as you should be, you are likely getting a little fatigued by the seemingly constant need to approve your sign-ins on your phone or entering MFA codes.
The bad guys are counting on the fact that you are getting “MFA Fatigued”. If they do have your compromised credentials, they are hammering away with the hope that you accidentally approve one of their sign-ins through your MFA push notification. Want to learn more about multi-factor authentication, here is a good article for you to read click this link.
Here are 5 important things to remember about MFA notifications.
- If you receive an MFA push notification on your phone, be sure that it came immediately in response to a login event that you know you created. Don’t approve an MFA notification on your phone if it was even a few minutes after your known login event, because that could have been enough time for the bad guy to have received your phished credentials and be trying to use them on their end.
- Never approve an MFA notification just because your phone is blasting you with a bunch of them. Don’t APPROVE just to make it go away and then later try to figure out why.
- Always contact your IT managed service provider or network administrator when you get MFA notifications that you do not believe you triggered yourself. Because remember that if you get an MFA notification that you didn’t trigger then the bad guy already knows your username and password, so your credentials are compromised, and something needs to be done.
- Likely getting your password changed and monitoring for more malicious login attempts.
- Eliminating PUSH notifications and always requiring a revolving token to be entered for MFA is one way to reduce the risk of MFA fatigue. But it is understandable that users often do really like the push notifications for ease of use and so that needs to be considered also for the applications you are protecting.
In the meantime, keep diligent and don’t let your guard down. We do not want MFA fatigue to be the reason you get compromised.
Recent Comments