{"id":1248,"date":"2026-01-16T08:00:33","date_gmt":"2026-01-16T13:00:33","guid":{"rendered":"https:\/\/www.montclair.edu\/phish-files\/?p=1248"},"modified":"2026-01-21T15:43:19","modified_gmt":"2026-01-21T20:43:19","slug":"duo-mfa-fatigue","status":"publish","type":"post","link":"https:\/\/www.montclair.edu\/phish-files\/2026\/01\/16\/duo-mfa-fatigue\/","title":{"rendered":"MFA Fatigue: When \u201cApprove\u201d Is the Wrong Choice"},"content":{"rendered":"
Multi-Factor Authentication (MFA) is essential for keeping campus accounts and data secure. By requiring a second verification\u2014like a push notification, text, or token\u2014MFA helps protect sensitive research, personal data, and university systems. But there\u2019s a growing concern: MFA fatigue<\/strong>.<\/p>\n MFA fatigue occurs when users are repeatedly prompted to approve authentication requests\u2014sometimes dozens of times a day. This can create stress and frustration, leading users to reflexively click \u201cApprove\u201d without verifying the request.<\/p>\n Cybercriminals exploit this behavior through tactics like \u201cpush bombing,\u201d<\/strong> sending multiple approval requests to trick users into granting access. A fatigued click on \u201cApprove\u201d can give attackers instant access to your account.<\/p>\n Universities store vast amounts of personal and research data, making them high-value targets. With students, faculty, and staff logging in from multiple devices and locations, MFA fatigue creates an opportunity for attackers to gain unauthorized access.<\/p>\n Pause before approving:<\/strong> If you didn\u2019t initiate the login, it\u2019s likely suspicious.<\/p>\n<\/li>\n Switch to Duo Verified Push:<\/strong> This method shows login details like device and location, making it easier to identify unauthorized attempts.<\/p>\n<\/li>\n Contact the IT Service Desk if you can\u2019t switch:<\/strong> The IT Service Desk can help ensure your account is using the safest MFA method.<\/p>\n<\/li>\n Report fraudulent requests:<\/strong> If you did not initiate the request, hit Fraud in the Duo mobile app.<\/p>\n Report phishing emails with the Phish Alert Button (PAB):<\/strong> If you receive a suspicious email, report it immediately to help protect yourself and the campus community.<\/p>\n<\/li>\n<\/ul>\n Approve requests automatically:<\/strong> Clicking \u201cApprove\u201d just to stop notifications can compromise your account.<\/p>\n<\/li>\n Ignore notifications:<\/strong> Unexpected prompts may indicate an attempted compromise.<\/p>\n<\/li>\n Share your Duo codes or passwords with anyone:<\/strong> Attackers may pose as the IT Service Desk or use phishing forms (like Google Forms) to trick you into giving your credentials and MFA code.<\/p>\n<\/li>\n Rely on less secure MFA methods:<\/strong> SMS or phone calls are easier for attackers to exploit.<\/p>\n Using Duo Verified Push<\/strong> is a safer, more informative way to authenticate. It reduces MFA fatigue by giving you context for each login attempt and helps you spot suspicious activity before it becomes a problem.<\/p>\n Remember:<\/strong> Not every \u201cApprove\u201d request is safe. Switch to Duo Verified Push, pause before approving, never share your codes or passwords, report suspicious emails with the PAB, and contact the Help Desk if you need assistance. Your vigilance keeps our campus community secure.<\/p>\n Google | Phishing Campaigns Targeting Higher Education Institutions<\/a><\/p>\n sosafe| MFA Fatigue Attack<\/a><\/p>\n
<\/p>\nWhat is MFA Fatigue?<\/h2>\n
\nWhy Higher Ed is a Target<\/h2>\n
\nDo\u2019s and Don\u2019ts to Protect Yourself<\/h2>\n
Do:<\/strong><\/h3>\n
\n
\n
Don\u2019t:<\/strong><\/h3>\n
\n
\n<\/li>\n<\/ul>\nMoving Toward Safer MFA Practices<\/h2>\n
\nWant to Know More?<\/h2>\n