MFA Fatigue: Passwords are still important
Have you heard of “MFA Fatigue”? Neither had I! You might however have seen that Uber, Cisco, Microsoft have had data breaches recently– all including MFA Fatigue, so it is time to consider the consequences.
MFA Fatigue exploits Multi-Factor Authentication (MFA) solutions that send users sign-in approval notifications after account access attempts – as well as the fact humans get frustrated by endless streams of messages. In an MFA Fatigue Attack, the hacker will make multiple attempts to log into a given user account configured with multi-factor authentication, using stolen credentials, sending an endless stream of sign-in approval requests to the user's device. The intention is that the victim finally approves the request out of pure frustration or is convinced they’ve been asked to do so by their tech team.
Now, breaching a push-based authentication method should not open the doors to your systems as you still will have the user’s password to protect you! This is the point of MFA or 2FA: The hackers must succeed in breaking two authentications. But if you have reduced your attention to password policies and processes because “we have MFA and then passwords are not that important!”, then you are down to one-factor-authentication in reality. MFA Fatigue illustrates what has been said repeatedly by security experts: No authentication method is 100% secure!!
My advice is that your company makes a Password Protection Plan covering policies, processes, technologies, and organization. Passwords – as the “thing only I know!” must still be an important part of your protection!
Finn Jensen, CEO