What is MFA (Multi-Factor Authentication) fatigue?
When I joined ADM (ADM Computing) in 2012 the world of IT security was a relatively simple one. Antivirus software on your servers and endpoints (computers), a firewall at your office, perhaps some antispam filtering and you were considered pretty robust. Fast-forward 10 years and there’s seemingly a new threat to consider every few weeks and another layer to protect – today we’ll talk about MFA Fatigue.
Before we talk about MFA Fatigue, lets first refresh ourselves as to what MFA is…
MFA (multi-factor authentication) protects your accounts even if your username and password are compromised. Upon logging in to a service, you are prompted for a secondary form of authentication, most popularly a notification on your phone via an authenticator app or code which is sent to your phone via SMS. This has proven to be very effective; with many reputable sources suggesting MFA can block over 99.99% of account compromise attacks
So, what is MFA Fatigue?
MFA Fatigue (aka MFA Exhaustion / MFA Spamming) is a method used by hackers to get around the MFA notification sent to your phone. In short once a hacker has your username and password they will send dozens, hundreds or thousands of MFA prompts to your phone in the hope that you accidentally hit ‘Approve’. You may hit approve for a number of reasons, it could be that you’re not at your most vigilant and you genuinely hit the approve instead of deny, or if the timing could coincide with when you’re trying to login to an account yourself.
So, what can we do to combat this?
Microsoft are aware of the threat posed by MFA Fatigue and have addressed this via an amendment to its MFA offering. Previously, a user would get a simple ‘Approve’ / ‘Reject’ notification on their phone, now the service requesting MFA will show a two-digit code, you must enter this code on your phone to finalize the MFA process – this is known as number matching. This eliminates the risk of approving something inadvertently, you can also configure the authenticator to show the name of the application and/or the location of the MFA request – to further verify what it is you are authorizing.
ADM has already enabled number matching internally and for clients who wished to be early adopters. We will also be proactively contacting clients who use MFA already, to suggest enabling it. Microsoft have announced that they will be looking enable this by default from February 27th 2023. If you wish for it to be enabled for your organization sooner, please give us a call, or contact us using the form below.
Founded in 1984, ADM Computing is Kent’s largest and longest established IT services company specialising in IT support services that help to reduce IT costs as well as improve network efficiency. We have a long history of charity work and won’t be slowing down any time soon!
To keep up to date with all our latest updates, follow us on LinkedIn: ADM Computing LinkedIn
Jamie Pert – Team Leader & 3rd Line Engineer | ADM Computing – Established in 1984.
Jamie has been with ADM for over 10 years, and thanks to his desire to challenge the ‘we’ve always done it this way’ mentality, he has been instrumental in driving forward the development of our service desk. When not busy leading his team and thinking of ways to improve our processes, Jamie’s focus is on the implementation of automation that instils secure best practice.
In his free time, Jamie enjoys playing and watching his son play football.
Looking for help or advice?
Get a same-day response from one of our friendly advisors.