While the development of multi factor authentication applications like Duo Mobile and Authy have made great strides in protecting our devices, the potential of these apps can give a false sense of security. Hackers have begun relying on a new tactic to bypass these apps and gain access to your account: multi factor authentication fatigue.
Typically, even if a hacker is able to attain your username and password, they still can’t access your account without duo authentication approval, the owner of the account needs to manually accept every attempt at logging in, especially if the person is in a different location. Fordham University uses Duo Mobile, an MFA that requires account holders to either accept a push notification, pick up a phone call, or retrieve a one time password from a separate device (usually a cellphone) each time they login to Gmail or the portal. After accepting a Duo request, users can select that the device they’re currently using is private, this makes Duo Mobile remember the device and will ask you to request Duo authentication less often.
If users aren’t paying attention, they’ll accept Duo push notifications even if they didn’t induce them, giving the hacker access to their full account. Malicious actors can also inundate a user with duo push notifications until the user accepts one just to make it stop.
MFA fatigue attacks are incredibly dangerous to the security of your account as attackers could access your personal information, send emails from your account name, and even purchase things on your behalf.
Most people are overwhelmed with the amount of phone notifications they receive daily, so embracing digital minimalism and only allowing important or time sensitive notifications is the best way to remain mindful of what you click on. Having Duo remember your personal devices can also reduce the amount of requests you get, so when you do get a push notification from Duo, you’re more likely to pay attention.