Why Multi-factor Authentication is Critical
By now most people are accustomed to the need for multi-factor authentication (MFA) on their accounts. Whether it’s a work account or email protected with a push notification to an app on your phone, or a personal bank account where you may receive a text message code, MFA is a critical step in preventing attackers from unauthorized logins.
How Important is Multi-factor Authentication, Really?
MFA is so critical of a concept that the absence of it has made the Cybersecurity and Information Security Agency (CISA) bad practices list. It’s important to note that this list contains just a handful of items!
But I Already Use MFA… Now What?
If your key personal and business accounts are all protected with MFA, don’t stop reading here. That’s exactly what attackers are hoping for now.
Don’t Get Complacent – Attackers Exploit with Human Psychology
Attackers exploit the fact that MFA has become more commonplace. They use this this to their advantage, so it’s important to know how their attacks occurr.
You see, the downside of human psychology is once we are accustomed to something it becomes second nature. MFA is becoming second nature to us. We log in, get our MFA push and immediately approve the prompt. It’s so convenient it probably takes the average person less than a second to approve. It’s become muscle memory such that if a provider moves where a button is in the app, we’ll press the wrong spot on our phones (I’m looking at you here Duo). This is exactly what attackers are hoping for.
Use MFA Wisely & Be Vigilant
Attackers are using phishing or brute force attacks to learn passwords for accounts. We can’t stop this with 100% certainty which is why we have MFA in the first place. They’ll then log into our accounts hoping that when we receive the MFA prompt, our muscle memory will kick in, and we’ll just approve the request even when it’s the attacker logging in instead of us. They’ll send these MFA requests back-to-back, flooding our phones with MFA prompts which some people think there must be a glitch and approve. Some get so annoyed at the prompts they click approve just to get it to stop. As you can imagine this is exactly what they are hoping for.
It’s important to educate your team on what MFA is protecting against in the first place, recognize the rise of this type of attack tactic on the MFA process, and ensure everyone minds their MFA.