Cyber attackers are finding new methods to circumvent multi-factor authentication (MFA) protections. The latest seen at Washington State University is called MFA fatigue.
This occurs when an attacker manipulates legitimate services such as password reset to send repeated MFA challenges to the user. As the challenges become annoying, the attacker anticipates that the user will eventually relent and approve the notifications to halt the barrage.
Information Technology Services recommends members of the WSU community decline all MFA challenges that are not personally initiated. In addition, MFA works best when used in conjunction with a strong password. Ensuring that both are in place is currently the best method of securing online accounts.
ITS established multi-factor authentication to help protect WSU information and resources. MFA improves security protocol by requiring that more than one piece of information be provided to validate identity.
These can come from a combination of the following:
- A password or a PIN
- A verification code or token, often shared through a separate channel such as email, SMS, or phone application
- A fingerprint, retinal scan, or other biometric data
While the extra steps take additional seconds to complete, the verification process is much stronger than a simple password check. WSU made MFA a requirement for faculty, staff, and students, and by doing so immediately noticed a significant drop in the number of compromised accounts.
If you suspect someone may be trying to break into your account, contact Information Security Services at firstname.lastname@example.org immediately.