In response to rising cybercrimes, many organizations, including AAFMAA, have implemented multi-factor authentication (MFA) to protect our users from credential theft, phishing attempts and brute-force password guessing. To get around this practice, hackers have begun relying on users’ MFA fatigue as they spam victims with endless authentication prompts until they are granted access.
What is MFA fatigue?
MFA fatigue is a strategy used by hackers to get around multi-factor authentication requirements via a brute force approach to overwhelm unsuspecting victims. First, this strategy requires that the hacker has successfully acquired a valid password using stolen, leaked, or guessed credentials.
Hackers are counting on the fact that users today are so used to getting these notices, especially on mobile devices, that they’ll simply approve the request to be able to return to using their phones. Because most users always have their phones with them, hackers have all they need to attempt to break into someone’s account. They can continue this method hundreds of times for days because they only need to succeed once.
How is AAFMAA helping to protect against MFA fatigue?
- Educating Our Users: The best way to stop MFA fatigue attackers is to make sure our staff and Members know what to look out for and how to respond. While most people may know how to recognize a possible MFA attack, they may not know what to do about the problem if it happens. If you suspect that you might be receiving a MFA fatigue attack, contact AAFMAA IT so we can assist with the proper steps to protect your account.
- Reduce the Possibilities for Login Fatigue: AAFMAA has worked to try to limit the number of log-in requirements by implementing single-sign on (SSO) where we can.
- Restrictions: AAFMAA has placed a few restrictions on account access to ensure account safety. Those restrictions include:
- Geographic: For employees, access is limited to logins within the Continental US. Employees are required to inform IT when they might be traveling overseas and must seek supervisor approval to be granted access to AAFMAA resources while overseas. It is important that employees log out of Office365 resources on their mobile devices before travel so as not to appear on the logs as failed access attempts.
- Number of Attempts: All AAFMAA users are limited in the number of failed attempts to successfully enter a valid password and authenticate via MFA. The current number of attempts allowed before the account will lock is five.
Protecting AAFMAA Members and resources is a team effort and requires diligence, awareness, and a willingness to reach out to IT whenever in doubt. We are here to help.