Anthony Daniel WatchGuard Technologies

How to avoid an outbreak of ‘MFA Fatigue’ in your organisation

In an effort to avoid the potential disruption and losses stemming from cyberattacks, increasing numbers of organisations are turning to multi-factor authentication (MFA).

MFA requires users to provide an additional piece of information above and beyond a traditional password. This could be anything from a code generated by an app on a smartphone to a fingerprint or facial scan.

When it comes to improving security, MFA is very effective. Even if a user’s log-in credentials have been compromised, a cybercriminal will still be unable to gain access to an organisation’s IT infrastructure without the additional factor.

Overcoming user resistance

While MFA offers significant benefits, it can still be met with some resistance from users. It’s often perceived as an annoying extra step that makes logging in more complex and time consuming.

Thankfully, it’s possible to deploy MFA in a way that increases cybersecurity without adding complexity or reducing end-user productivity.  There are five key steps that should be taken to achieve this. They are:

  1. Assess your organisation’s needs:
    There are a range of different MFA solutions on the market and so a key first step is to carefully assess your organisation’s requirements to ensure the most appropriate one is selected.

    Take into account the type of data to be protected, as well as the complexity of overall security requirements. Undertaking this assessment will increase the likelihood that the selected tool will be appropriate and not simply seen as an additional hurdle by staff.

  2. Conduct user training:
    Conducting formal training is one of the best ways to overcome MFA resistance. In most cases, humans are considered the weakest link in the chain so it’s crucial to educate them properly about the importance of the technology.

    Explain why it is being deployed and how it helps to keep both them and the organisations IT infrastructure protected from threats. Having this understanding will make it much more likely they will accept the new tool.

  3. Consider combining MFA with SSO:
    Deploying single sign-on (SSO) authentication offers a much-improved user experience. Users can sign in just once and have access to all the resources they require. By combining SSO with MFA, a more seamless user experience is created alongside better security.

  4. Continually review authentication settings and policies:
    Having an effective MFA solution is not a set-and-forget activity. It needs to be properly configured with pre-determined policies for access in place.

    It can also often be useful to designate different authentication factors based on roles. Factors with high resistance to attacks can be deployed for privileged accounts, while simpler but effective ones can be deployed for less privileged users.

  5. Keep an eye on the evolving threat landscape:
    Recently, a new social-engineering technique dubbed ‘MFA Fatigue Attacks’ has been developed and is gaining popularity among cybercriminals due to its high level of effectiveness.

    In such attacks, cybercriminals send multiple MFA requests in the hopes of frustrating a legitimate user who, when overwhelmed by the number of alerts, may disable the MFA solution believing it malfunctioning. The cybercriminal might also pose as a support employee and request the code they need to log into the user’s account.

    An effective MFA solution needs to evolve and incorporate new functionalities that are adapted to the latest strategies deployed by cybercriminals. Thus, they need to offer an alternative that blocks spam notifications that may be part of a phishing attack.

According to industry research, 86 per cent of attacks on corporate web applications come from credential theft.  For this reason, having an effective MFA system in place is vital as it provides greater certainty that a user is who they claim to be before granting access to an online application or account.

Organisations of all sizes should take the time to evaluate MFA options and deploy the system that is most appropriate for their situation. The result will be better security and more protected users.

Anthony Daniel, Regional Director – Australia, New Zealand and Pacific Islands – at WatchGuard Technologies.

Leave a Reply