.png?width=220&height=44&name=Nuc-logo-sketched-1%20(1).png "Nuc-logo-sketched-1 (1)"){kind=logo}
Microsoft is upgrading their security and changing the default Multifactor Authentication (MFA) settings in Authenticator. Starting on May 8, 2023, number matching MFA will be enforced across all users of Microsoft Authenticator. The shift to number matching authentication by Microsoft comes as a direct response to the rise of MFA fatigue attacks, also known as MFA spamming or MFA bombing. Here’s what you need to know to protect yourself, your business and how Managed Security Services can improve your security posture.
What is an MFA Fatigue Attack?
An MFA fatigue attack happens after an adversary has already stolen the user’s credentials by some other means. It involves endlessly bombarding an account owner with MFA push notifications until they slip and approve the login request. Once an MFA request is approved, hackers can access the user's account and misuse it however they want.
According to Microsoft, about 1% of users will accept an approval request on the first try.
What you Need to Know
There are two precautions that should be a rule of thumb;
1) Never approve an MFA request if you are not sure where it is originating from and always deny or decline and;
2) If the MFA request persists, find the service that is sending them and change your password.
MFA additional context rules send you all the details you need to know to determine where and what is pushing the MFA requests:
- Show application name in the push and passwordless notification – Shows which application the user is attempting to sign in.
- Show geographic location in the push and passwordless notification – Displays from where the request is attempted.
- Microsoft Authenticator Number Matching with push notification which requires the user to type in a two-digit code from the login screen to their Authenticator app.
Cybersecurity Awareness Training
Provide your employees with annual cybersecurity training. This will help your users understand the risks associated with cyber threats and give them the training they need to be able to identify MFA spamming, email phishing scams and Business Email Compromise attacks. It will also reinforce the importance of up-to-date password hygiene. Consider putting a program in place to ensure all new employees have access to cybersecurity training, especially those that work in finance.
MFA fatigue attacks are just one the many latest threats that we need to be aware of and address. We want businesses to have the tools, best practices and best standards in place to protect their users and data from bad actors. A Managed Service Provider can help your business understand your risks so that can do the best job you can keeping your business secure. Visit our Managed Security Services webpage to learn more or contact us to schedule a meeting.
