Contributed by Laura Campbell, ITS
Multi-factor Authentication (MFA) is a critical line of defense against cyber threats. MFA requires users to provide multiple forms of identification when logging into sensitive programs or accounts. In most cases, users enter their password which then triggers a one-time code or authorization message to be “pushed” to a secondary device, usually via an authentication app on your mobile phone. UVA uses DUO for MFA.
MFA has proven to be a successful way of preventing unauthorized access. However, users can feel annoyed by frequent pushes and cyber criminals are taking advantage of that via an increasingly prevalent attack known as MFA Fatigue.
MFA Fatigue has opened a new opportunity for cyber-attackers creating a prevalent threat to users and networks. An attacker who has obtained a username and password will bombard a victim with multiple MFA push notifications until they have annoyed a victim to the point of approving a notification just to make them stop.
Here's what happens
1. An attacker will overwhelm a user with push notifications, bombarding them with repeated requests for approval.
2. A user becomes frustrated with the constant interruptions and will eventually approve one, just to make them stop.
3. Once the user has approved access, the attacker has bypassed the need for any further authentication.
How to protect yourself
1. Stay alert – You know to expect a push notification when you have logged into a system. Stay aware and decline any push notification that you know you did not initiate. You should NEVER receive multiple push notifications for a single login. (Note: After approximately 10 DUO declines, your account will be locked for 30 minutes. This alone should deter an attacker.)
2. Reset your password – If an attacker triggered a push notification, it is safe to assume they have somehow obtained your password. Reset it here.
3. Clear your cookies and cache regularly. Attackers now target session cookies—small data fragments stored by browsers to maintain active logins.
4. Report it – Contact UVA ITS via the Help Desk or via email at IT-Security@virginia.edu and report the problem.
No comments
Post a Comment
Note: Only a member of this blog may post a comment.