Why Hackers Love Your "MFA"

Multi-Factor Authentication (MFA) is non-negotiable. But not all MFA is created equal. If you are using "Push Notifications" (the ones where you just hit "Approve"), you are vulnerable to "MFA Fatigue."

The Attack: MFA Fatigue

Here is what happens:

1. The hacker gets your password (maybe from an old breach).
2. They try to log in at 2:00 AM.
3. You get a notification on your phone: "Approve sign-in?"
4. You ignore it.
5. They try again. And again. And again. 20 times in 5 minutes.
6. Eventually, you get annoyed (or confused, thinking it's a glitch) and hit "Approve" just to make it stop.
7. Game over. They are in.

The Fix: Number Matching

Microsoft introduced "Number Matching" to fix this. Instead of just hitting "Approve," the phone asks you to type in a 2-digit number displayed on the computer screen.

Since the hacker can't see your screen, they can't type the number. The attack fails.

Action Item

Go to your Entra ID (Azure AD) settings today and enforce "Number Matching" for Microsoft Authenticator. It costs nothing and eliminates this entire class of attacks.