Your IT Consultant
Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.
Beware MFA Fatigue Attacks
November 16, 2022
Multi-Factor Authentication (MFA) should be enabled for any system you access. The second factor significantly improves security and according to Microsoft, will prevent 99.9% of credential-based account takeover attacks. There are several methods when utilizing a second factor. The most common one is to have an SMS text message sent to your phone. Even though the technology is the most common, it is also the most insecure and subject to man-in-the-middle attacks. A better option is to use push notifications to an authentication app.
However, the cybercriminals know users are moving to push notifications for MFA and are shifting their attacks to gain account access. BleepingComputer reports that as organizations shift to push notifications, MFA attacks are increasing. An MFA attack is “a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one.” In other words, the problem is that human beings get tired of the constant prompts and just give up. Bad move.
There are steps you can take to minimize the impact of push fatigue. Besides user education (don’t give up!) limiting the amount of MFA requests can help. If a large number of MFA requests are “seen” in a short period of time, you can temporarily disable the user account and force a “quiet period” until push notifications can resume. Even with the increase in push fatigue attacks, using push notifications for MFA is a much better alternative than using text messages.