Most organizations and online platforms use multifactor authentication (MFA) (also called two-factor authentication) to confirm that the user is an authorized individual and not a scammer or fraudster. We have all been trained to use MFA through our workplaces to gain access to our work emails; tech companies offering free email services are suggesting that users deploy MFA, and online banking and other platforms use MFA to authenticate customers. We are getting used to receiving MFA codes as a push to authenticate us before we can access the application. We click “It’s me” or “Yes” and we are in.

Unfortunately, because we are getting so used to MFA pushes, scammers and cyber criminals know that users will just click on the push without researching or looking closely at the code to determine whether or not it is one that they generated. It is the perfect scam, and they are using it.

How does MFA fatigue happen? Usually, the threat actor has obtained the credentials of the user first through social engineering, a phishing attack, or obtaining compromised credentials on the dark web. (Note to readers: Don’t ever give up your credentials.) The scammer then uses the credentials and sends a rapid series of MFA pushes to the real user through email or text. The user then gets a bunch of pushes, which is annoying, and may click “yes” just to get them to stop, or thinks the MFA is stuck. Once the user clicks “yes,” the threat actor is in the device and can use the entry to implement a scam.

Individuals should remain vigilant and be suspicious of multiple MFA pushes and not click on “yes” unless the user has performed some activity that would generate an MFA push. If you receive multiple pushes, you may wish to call your IT help desk.

Companies may wish to consider increasing employee education about MFA fatigue so they will remain vigilant against an attack.

Here is some background and more tips to combat MFA fatigue.