Microsoft Office 365 Is A Target For MFA “Fatigue” Attack Says GoSecure Report

It is considered to be good practise to use multi-factor authentication or MFA for any accounts that you have as that should make you less likely to be pwned. But GoSecure has a report out that says not so fast on that front. They’ve come across a MFA attack that leverages the one weakness of MFA. Fatigue:

The term “MFA Fatigue” refers to the overload of notifications or prompts via MFA applications, in multiple accounts, that the user receives during the day to perform logins or approve different actions. It should not be confused with “Password Fatigue” in which the user is overwhelmed with the number of passwords or PINs they must remember for multiple accounts or events. MFA Fatigue and Password Fatigue do share a similar theme, that the user is “fatigued” (or overwhelmed by volume) and will start setting security best practices aside and become careless, putting their organization and their accounts in danger of compromise. 

As a result there are now attacks that leverage this fatigue to pwn you. Which of course is bad. Lucas Budman, CEO of TruU had this to say:

“MFA fatigue will continue to proliferate unless we leverage new ways of authenticating users that cannot be easily stolen or manipulated. Multifactor is common parlance, but in fact for most people “multi” really means a single factor that serves as the second or MFA factor.  The reality is that it’s very easy to compromise a password, making us completely dependent on the second or “band-aid” factor. New solutions like TruU address these issues by completely eliminating the password and by continuously monitoring a host of behavioral and environmental signals—in other words, true multifactor.”

The solution that was mentioned in the above paragraph is also known as passwordless authentication and many companies are brining this, or have brought this to market in a variety of forms. Thus if you’re security conscious, you should have a look at this tech to keep your enterprise safe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: