The MFA Fatigue Ins and Outs

Multi-Factor Authentication has for years been a fantastic method for protecting your online accounts from unauthorized access. But what was once a benefit now poses a dangerous security risk to your own personal information, but more seriously to corporate databases. 

MFA Fatigue as it is known has been most notably utilized by Lap$sus, a hacking group that has successfully infiltrated large tech companies like Microsoft, Cisco, and even Uber. The technique centers on inundating members of organizations with sing-in approval notification that accompanies repeated attempts to access online accounts. The prey of this tactic receives notification after notification until they eventually give up and provide authentication out of sheer frustration.

Another common variation of this approach manifests in hackers sending emails while posing under the guise of IT support personnel. With this added layer of perceived authority, individuals become significantly more likely to approve access to their accounts on an alternate device.  

Don’t Be Alarmed – Stop Hackers In Their Tracks

1. The First Line of Defense

There are several steps you can take to prevent your next security breach, but sometimes the simplest precautions are the most effective. The MFA Fatigue scheme still requires stolen credentials to your account, so the first way to deter this risk is to create a strong password, minimizing the possibility of someone signing in to begin with. 

Focus on designing a password that is complex, and long. With every added character, your password strength grows exponentially. We also recommend you set a semi-regular password expiration, keeping your account up to date with ever-changing credentials.

2. Authenticate Authenticate Authenticate

Two-factor authentication is the standard practice for most virtual accounts, but you can increase protection efficacy with multi-factor authentication. The more security layers you have in place, the more unlikely you are to accidentally forfeit account access.

3. Restrict the Number of Authentication Attempts

It happens to all of us. A child gets a hold of your phone and types in your password a hundred times. The next thing you know, you’re locked out of your phone for weeks.

Annoying as that may be, this defense works for your phone, and it will work for your employee accounts, too. MFA only works if the hacker can send an indefinite amount of notifications to your personal device. So make sure to speak with your IT department about standardizing a limited number of sign-in attempts. Without the constant influx of messages, you can eliminate the ‘fatigue’ that comes with this nefarious scheme.

4. Ditch Your Phone Number Authentication 

The final layer of defense you can use to bolster security is to stop using your SMS authentication texts to your phone number. Hackers have devised a trick called SIM-swapping, which lets them switch a target’s phone number to another SIM that the hacker controls. This way they receive the authentication code instead of you.

You can sidestep this altogether by replacing SMS authentication with authenticator apps designed specifically for this purpose. We recommend installing an app akin to the Google Authenticator app. Your codes will then be sent to your phone without relying on a potentially compromised phone number.

Time to Breathe Easy

The danger of cyber-security hackers is a real, but preventable. If you follow these simple steps, you can keep you and you company’s information safe and secure from those who wish to abuse it.