During a multi-factor authentication (MFA) fatigue attack, MFA requests are repeatedly sent to the target’s email, phone, or registered devices. The goal is to pressure you into approving access, giving the attackers access to your account or device.
Protect yourself by protecting your login credentials - check twice, click once
An MFA fatigue attack begins when login information like your username and password have already been compromised. Avoid using easy to guess or frequently used passwords, and check whether your login credentials have already been stolen by following our advice on setting secure passwords here.
The victim now receives multiple MFA requests and becomes “fatigued”
The attacker’s goal is for you to approve the request, giving them access to your account or device. Often, a victim will push “Yes” in the hope of stopping the notifications. You may think it’s an application malfunction or a test, or just want the notifications to end out of frustration.
The attacker may also pose as a tech support employee and attempt to explain that the push notifications are part of a normal maintenance procedure.
Remember: Neither our IT Service Desk, or your Internet Service Provider (ISP), will contact you to fix an issue unless you've logged a call. The university will not introduce a new IT solution or process unless it has first been communicated through official channels, such as an email from the IT Service Desk or a Portal news article.
To report suspicious messages or issues with multi-factor authentication, please contact the IT Service Desk.
Use the Microsoft Authenticator app for quick and secure access to our systems
We recommended that all our staff and students use the Microsoft Authenticator app set to 'receive notifications for verification' as it provides the fastest and easiest method of MFA approval. It is also more secure than other forms of MFA, such as text codes or phone calls.
We will soon enable new security features via the Authenticator app, designed to protect you from MFA Fatigue and other attacks. So it will remain the best method to keep you, your data and our systems safe.
