Search within:

How multi-factor authentication can protect your account

Cybersecurity is a technological arms race waged between the defenders and the attackers. As an identified weakness is defended, the attacker will search for new vulnerabilities to penetrate. History proves that usernames and passwords alone are not enough to protect an individual, and therefore it is standard practice to implement additional login controls such as Multifactor Authentication (MFA). However, even with MFA, bad actors are finding creative ways to gain access to sensitive information. One such example of this is a recent attack method known as an MFA fatigue attack described in the following story.

Calculus III and a Side Order of MFA Fatigue

It was a snowy December day on campus as Jerome took a pause from studying for his last final exam to peer through the window at the frosted white flakes glistening as they fell to the ground. He could hardly focus on Calculus III with winter break right around the corner. It couldn’t come soon enough, as he was excited to get home to see his family for the holidays. Buzz! All of a sudden, an alert popped up from Amazon on his phone. He wasn’t surprised as he had just placed an order for the perfect gift for his younger brother along with some other family gifts. Without hesitation, he clicked the link to sign into Amazon,” which he happened to set up using the same email and password as he had configured for his school login. Out of nowhere, he received a pop-up from Microsoft Authenticator saying someone was attempting to login to his school account. He whispered, “that’s odd” and denied it. A few seconds later, another alert, then another alert, then another alert, all which Jerome denied. After approximately 20 notifications, Jerome felt frustrated and annoyed, and aggressively tapped "approve" on the prompt. Whewww! Jerome felt relieved as the buzzing and notices ceased. But unknowingly to Jerome, minutes before, he entered his username and password into a fraudulent website, and then he granted a hacker access to his University account. Jerome’s problems had just begun.

Combatting MFA Fatigue

Ever heard of MFA number matching? This is a feature we have enabled for OHIO accounts to protect against the MFA fatigue attack Jerome experienced. Now, your Authenticator app requires a two-digit code from the login screen to complete the MFA request. This prevents you from accidentally accepting an authentication request from a hacker trying to access your account. In addition, the Authenticator app will now show you the application name that is associated with the MFA request.

IMPORTANT: Do not reuse your passwords across different services and be sure the websites you enter your credentials into are legitimate. If you are experiencing MFA prompts that you did not initiate, decline them and change your password immediately. Visit our Help & Resources: Azure MFA information page for more help on remaining vigilant against these attacks.