Multi-factor authentication (MFA) increases an organization’s security and helps mitigate risk by requiring a user to provide multiple forms of identity verification to gain access to an application, network or website. Although MFA requires an extra step (or two) at the time of login, it can block most account-compromising attacks.
Four years ago, Microsoft advised that MFA would block over 99.9% of cyber-attacks. This information contributed to insurance carriers often requiring their insureds to utilize MFA or be faced with non-renewal or huge increases in premiums. At this point, many cyber carriers refuse to provide a quote for cyber insurance unless the business has MFA for all its employees. As such, many businesses have this protective armor against cyber attackers.
Then, in walks MFA fatigue.
What is MFA Fatigue?
It was only a matter of time before hackers developed a strategy to circumvent this security measure. MFA fatigue (also known as MFA bombing) is a strategy utilized by hackers to overcome the protection of MFA. First, the hacker obtains the user’s login name and password. A hacker may obtain this information on the dark web or merely by guessing a user’s password. Then, the hacker will bombard the user with prompts requesting verification of their identity. Users may grant access to stop the barrage of push notifications. This has been especially effective on mobile devices since constant notification requests could render a smart phone unusable due to the constant message popups. Or, if a user continues to ignore the push notifications, the hacker may impersonate your IT department and falsely direct them to accept the requests.
Combating MFA Fatigue
Education is the best defense. If an employee receives an unusual push notification, they should immediately change their password, contact their manager and IT department. They should not send an email.
Despite these novel attacks, MFA remains a crucial tool for businesses. Companies that educate employees on the latest cyberattacks will remain ahead of the curve. Remember, human error is the cause of most network intrusions. There are other tools available in your arsenal (e.g., resilient authorization); however, the best tool is making sure your end users are able to recognize the threat and respond appropriately.
Conner Strong & Buckelew’s Cyber Portal has additional resources on MFA. Contact your account representative to learn more about our cyber services or to help setup your cyber portal account.
Laura Kerns, CPLP
Senior Claim Consultant