There is now a real problem with attacks taking advantage of the ubiquitous use of MFA to protect user accounts. Having gained part of the account information, attackers are now repeatedly sending MFA challenges to victims. The victim either mistakenly accepts the challenge or receives so many that they eventually submit and accept them to stop the flood. This type of attack now has a name: MFA Fatigue.
Microsoft released some additional features to their MFA challenges during 2022, which could be used as an option for those seeking to combat MFA fatigue. In a nutshell, instead of a simple 'approve' option, the non-fatigued MFA challenge also requires confirmation of a number shown on the device screen. This is what it looks like on a computer:
With this change, the individual is then able to judge whether the information is valid and needs to engage their brain rather than just authorising as a knee-jerk response. We at Flex IT have adopted this for our daily use, and although it's a bit more involved, it works very well and is not particularly onerous.
As part of Microsoft's campaign to secure the M365 platform, they are enforcing this feature globally this month, February 2023. All individuals will start to see the non-fatigued challenge instead of the current 'approve' option.
Contact us today to find out more.