So, you’ve seen all the warnings and decided to heed them.  You’ve added Multifactor Authentication to your accounts, set them up in your Authenticator app, and are maybe starting to breathe easy again.  You might even be feeling a little smug – “Oh yeah, just let them try to get in now!”.  There’s no getting around it, MFA throws a huge monkey wrench into most hacker’s plans, that’s precisely why it is so highly recommended. It WORKS!

What I’m talking about today, however, is that OTHER factor, specifically, your password!  You might not be worried about that anymore, but I’m here to tell you that you really NEED to be.  Don’t let any old habits return.  GONE must be the days of simple passwords and password re-use.  True, even if a bad guy has it, you still have the final say with that magic Authenticator app, but believe me, they’ve thought of that.  If they get your password, they can take you to a hellish new world known as…

The MFA Fatigue Zone!!!

You find yourself sitting at your computer, minding your own business. You might be working on some business-related stuff, doing an online crossword puzzle, cruising these blog articles, whatever.  Suddenly, your Authenticator app goes off wanting an OK to let you in…”Wait a minute! I don’t remember wanting into my account, must be some kind of network glitch”, you deny it and go about your business.  Then another one comes in, you deny it again, but the hair on the back of your neck starts to stir…”Weird kinda glitch, I wonder what’s up?” you ask yourself.  You have some open browser windows, the thought crosses your mind maybe you hit an account bookmark by mistake or something, so you start looking.  Another comes in, you deny it again, your searching becomes more frantic. Yet another comes in, then another and another and another and another.

Just make it stop!!!

A body can only stand just so much!  After a bunch of denials, you finally hit Agree just to make it stop so you can think again.  Unfortunately, you’ve just opened Pandora’s Box, the barn door is open, and the livestock are gone.  This is push notification spamming, A.K.A. MFA Fatigue, at its finest, the bad guy barraged you with requests and you finally gave in.

It is not the technology involved that makes this attack highly effective, it targets the human factor of MFA. Most MFA users have likely never heard of this type of attack and would have no idea they are approving a fraudulent notification. Others just want to make it disappear since they approve similar notifications all the time. They simply can’t see through the notification blitzkrieg to spot the threat. The good folks at GoSecure put together a short video demonstrating one of these attacks:

Remember that password?

While there are ways to mitigate these attacks, the best defense is to keep them from getting your password, they cannot attack this way without it. You need to continue to follow best practices on hard to guess passwords, new passwords from time to time, and absolutely no password re-use.  With these few things, you can safely return to that work stuff, the crossword puzzle, blog cruising, or whatever you were doing before I interrupted you.