MFA Fatigue

When you don’t really notice notices, you risk letting scammers in.

Many of us enable notifications on our smartphones so we know when new information arrives. It can be great to stay on top of the latest news or your friends’ upcoming activities.

Enhanced security protocols such as multi-factor authentication (MFA) for your bank account or for university resources use the same push notification tools. Notifications can be set up on your device to quickly tap and be allowed in.

When you become overwhelmed by all the noise, you are at risk of missing out on clues that tell you a request is from a scammer hoping to steal your credentials.

As explained by Isaac Galvan, Lead Cybersecurity Training Specialist in Technology Services, MFA fatigue is when a cybercriminal floods you with approval prompts in the middle of the night or randomly throughout the day. “The cyber-criminal hopes to fatigue you with endless notifications so you get tired of them and, in frustration, approve one,” he said.

Keep the following in mind to help avoid these MFA scams.

Timing is everything.

When a notice appears, does it coincide with when you are visiting a website or using an application? Manager of Identity and Access Jeremy Watson explained that you should not click or swipe unless you are actively using an application. “If you are awoken at 3:30 a.m. because of repeated texts or notifications, be concerned. You are NOT trying to login to your account while fast asleep, so do not click,” he said.

Only approve Duo prompts you initiated by logging in with your password and keep generated passcodes secret from everyone.

We won’t call you to approve anything.

When a cybercriminal has an account’s password, they also need to get past the MFA protection. Cyber-criminals can try to catch you off guard by impersonating a university official or IT staff member. Galvan added that a help desk or IT staff member “will never ask you to approve an MFA prompt or generate a passcode,” Galvan explained. 

He recommends you change your password if you get suspicious Duo prompts that you didn’t initiate or receive phone calls asking you about multifactor authentication. This is a sign that someone else may have your password.   

You can get notified of unapproved access.

Watson suggested you check your MFA settings for old or unrecognized devices and phone numbers. While you’re there you can set up a default approval device, so you get prompted when your password has been used to log in. You can change your password and update your MFA settings in the NetID Center at