214-379-4200 - Business Only support@avaren.com

As the cybersecurity landscape continues to evolve, businesses are compelled to adopt new and better ways to protect their data and restrict unauthorized access. Multi-Factor Authentication (MFA) is an effective protection layer that businesses can add to their security protocols, in addition to complex passwords.

‘MFA Fatigue’ is what we call it when an employee hits “Accept” on an MFA request they did not themselves initiate.

 

 

Understanding MFA Fatigue

MFA Fatigue is most likely to occur in the exact moments that a hacker is attempting to compromise an employee’s account. In a case like this, the employee will be receiving MFA requests that they did not initiate (possibly a number of them over a period of hours), and the employee accidentally or otherwise inadvertently gives a hacker access to a system. All of this of course is after the hacker has somehow managed to obtain the user’s password.

MFA Fatigue Authentication Example

Typically the only other time an employee will receive MFA requests they did not initiate, would be if they had left a browser window open (for example) on one of their devices (and this session had timed out). It is an imperative that everyone know to never hit “Accept” on MFA requests they did not directly initiate, even if the person believes it is their own system initiating the request.

 

In these cases an employee should wait until back at their computer to investigate. I stress again that employees should never hit accept on an MFA request that they did not directly initiate themselves. Employees also should report immediately to IT support, any odd MFA requests that the employee feels are not explainable (or caused by their own devices) as this is a tale-tale sign that their password has been compromised.

 

Takeaways:

  • Never accept MFA requests that you did not directly initiate, even if you think you can explain them.
  • Report instances of unexplained MFA requests to IT support.
  • Every separate online vendor must have a unique and complex password.
  • Using the same password (or even variations on the same password) with multiple online sources will lead to account compromise.
  • Never use your work password anywhere other than work.
  • If you have a compromised account, every instance of that password and all variations on that password (at every vendor) should be changed.
  • Using a password manager (contact us if needed) has become a necessity, in order to maintain unique credentials at each separate online vendor.
  • Security Awareness Training (contact us if needed) can also help.

 

ML/jk

Skip to content