MFA push fatigue - are users just approving everything now?
Posted by saymepony@reddit | sysadmin | View on Reddit | 110 comments
Been noticing more cases where users just approve MFA prompts without really checking.
Not malicious, just habit.
Feels like once people get used to seeing the prompt, they stop thinking about it.
Kind of defeats the purpose if approvals become automatic.
Anyone else seeing this?
Did you change anything (number matching, policies, etc.), or just leave it as is?
FKFnz@reddit
Microsoft's default change to number matching a couple of years ago fixed that problem.
techb00mer@reddit
In the last week I’ve dealt with 5 separate tenants that have been stung by AiTM which all had number matching in place.
It’s time to go phishing resistant (passkeys) if you haven’t already started.
SaucyKnave95@reddit
Nah, just because the user now needs to match a number they see on their mobile doesn't mean they're not running on automatic. This is one of the side effects that put a sour taste in my mouth. MFA doesn't mean people are going to start thinking more about security. It just means they've got more steps to be mindless about.
GnarlyNarwhalNoms@reddit
I don't understand. Why would someone OK an MFA prompt if they aren't trying to log in?
Test-NetConnection@reddit
Can you explain how the number matching can be defeated? Last I checked users had to be tricked into accepting the push and entering the correct number, and no amount of MFA or passwordless security is going to prevent users from willingly handing over the keys to the kingdom.
Brilliant-Advisor958@reddit
They get phished with a fake web site .
When the users click the link and log in, the fake server takes the credentials and logs into office 365 .
When the bad guys get an mfa prompt, they ask the user to enter the code on their mfa app.
It all looks like the user is logging into office 365 but they arent.
Now the bad guys have full access to your office 365 account.
billy_teats@reddit
The number matching includes a prompt about what location you are attempting to log in from. So the attacker would need infrastructure in the location the user is coming from. Unless the user ignores that component, which is likely.
Device compliance defeats this attack though. If the device needs to be Intune registered then no amount of giving away mfa will allow the attacker in. Well unless you’re like lapsus group and just register your device. But that only works if your Intune is setup in the loosest way possible.
Belgarion0@reddit
The location accuracy is often quite bad.. At least it's showing the correct country, but very often the capital city instead of where you're really logging in from. (The accuracy seems to have gone down more after many ISPs started with CGNAT).
billy_teats@reddit
I agree, geolocation based on IP has many flaws.
We encountered border issues, specifically folks in buffalo New York were closer to zscaler nodes in Canada so their traffic egressed from a different country.
fiah84@reddit
the eyes glaze over anything that isn't immediately required to make the prompt go away. If checking the location is required for security, it should be something the user is required to input as verification
billy_teats@reddit
Not for entra
Test-NetConnection@reddit
Interesting, but this is why you enable location-based MFA prompts. Passwordless with yubikeys is definitely the way to go.
techb00mer@reddit
The good news is that you don’t have to invest in yubikeys, modern phones support passkeys.
sarge21@reddit
The problem then becomes that phone + PIN now gets your unrestricted access to the account. Not phishable remotely, but easier to steal in person.
Finn_Storm@reddit
My boss also claims this with WHfB but honestly it's such a nonissue. You can just wipe the device and/or revoke creds
Test-NetConnection@reddit
That would work for Office365, but we need MFA to a bunch of other things including windows. Yubikeys support PIV, FIDO, and static passwords which gives us a lot of flexibility.
An_Ostrich_@reddit
Yeah I tested Entra passkeys (device-bound) and they’re working awesome so far.
No_Resolution_9252@reddit
Passkeys are not any more phishing resistant than mfa in your example scenario, they are equally exploitable.
Sacrificial_Identity@reddit
Risky user /risky sign-in would catch that, make them MFA again at minimum, hopefully block and force pw reset and revoke sessions?
Tall-Computer123@reddit
Might catch it but I’d not bet the house on it, conditional access and require joined device stops these attacks. We had a number slide past risky user, but were caught but needing joined device Now you can do passkey from modern mobiles it’s also a good option (but is still higher friction to setup for non technical users) The quality of the phishing emails is going up, we’ve had compromised contacts emailing people where the user is expecting email from that person.
techb00mer@reddit
The scary thing is that these attacks steal your session, that session is a valid, fully compliant device. Do device compliance doesn’t save you. Only the auth method (domain bound passkeys) can save you.
YSFKJDGS@reddit
You are thinking of a different attack than what 99% of these are. proxy/nginx attacks are the OG "mfa bypass" people love to call it, but in reality the login shows up as the attacker device which you can account for MOST cases via CA policies. It isn't 'stealing' the session, it is just allowing the attacker to open the session.
Session STEALING is usually from browser side attacks, which do exist but are not nearly as common as your standing phishing based nginx attacks which is what this chain is talking about.
Very easy to get the two confused.
MidninBR@reddit
You to enable token protection and continuous evaluation to mitigate this now
mapbits@reddit
Synched Mobile passkeys are pretty seamless for users now, with registration campaigns.
We're not going there because we're most of the way through a manual Authenticator Passkeys rollout and see hardware attestation as an important control against future threats (and don't particularly like how synched passkeys appear to interact with Apple/Google on first read)
Brilliant-Advisor958@reddit
That's a premium license feature.
Sacrificial_Identity@reddit
Ohh yes, true.. sometimes it pays to be gucci like that.
SemiDiSole@reddit
Look at "Evilginx". :)
roflsocks@reddit
That's exactly it. Attacker runs a fake login page and will relay your login info, which triggers mfa. They'll update the login interface to show you the numbers, because that's the normal workflow. User enters numbers, because they want access to whatever was promised to them in the phish.
Its not much different from old fake login pages that just stole your creds. Just now they have to automate the login workflow, and add your account to the queue for followup while the session is still active.
Users are trained "click link enter mfa AGAIN. stupid MFA, always prompting me"
So when phished, they happily enter MFA.
DwemerSteamPunk@reddit
If a user will hand over a matching MFA then how would a passkey be more resistant? The attacker would just compromise the device instead of the account. It's just shuffling the vulnerability around to a different spot
DiggyTroll@reddit
The passkey device has biometrics and an enclave. Better security, but nothing can stop a physical attack (violence) or state actor (remote)
genericuser642@reddit
The stupids will probably just fuckin mail the keys to the attackers then.
m1327@reddit
We have proximity check over BLE. Solves that issue. (We do not use MS MFA)
Dazman_nz@reddit
I’ve had a couple of users with tokens stolen.. Have now configured policies that it a users account is medium risk or higher, they’re forced to type password and get mfa code. Have configured a similar policy that just looks at the particular login too. So even if the current risk status of the account is low, if the login is medium or above, it forces interactive MFA.
AdmRL_@reddit
That has no relation to push fatigue...
AiTM is a real threat, but it's not what's being talked about here.
techb00mer@reddit
It has plenty to do with push fatigue. Moving to passkeys prevents any type of push notification to end users. Sure, number matching stops people from blindly pushing “yes” when they continue to receive notifications, but everyone should be looking at long term solutions to fix not just this issue but future issues.
saymepony@reddit (OP)
Yeah, helped a lot. Still see a few auto-approvers though.
bandit8623@reddit
they just pick 1 of the 3 without getting a code? lol
clubley2@reddit
That's for personal MS accounts, Entra ID requires you to type the number shown on the screen.
iRyan23@reddit
The three choice option for number matching is for Microsoft personal accounts only.
For all Entra tenants, you have to manually type the two digit number.
jdog7249@reddit
I have to type the code on the screen into my phone to approve it.
digital-bandit@reddit
If you're putting in effort to change to number based authenticating, just switch to passkeys completely if you can. It's phishing proof.
AdmRL_@reddit
You literally can't be? How are they entering the number on screen when they haven't signed in and do not have a number on screen? They aren't.
joyfullystoic@reddit
Like 3 guys in my company fell for a phishing meeting invite with a PDF attachment that had a QR they scanned with their phones, it pointed to a .ru domain, they opened the link, Authenticator asked if it’s them trying to login to Outlook Mobile and they approved it 🤦🏽♀️
They all had a stupid excuse like they were actually waiting for a reply from someone…
caribbeanjon@reddit
I used to think this until we had our first case where an employee effectively guessed the right number (1 out of 3 is pretty good odds). Moving to passwordless so they have to type in the number is the real solution.
drevilishrjf@reddit
Best way to solve these issues is to stop use WebUIs that require constant login prompts. Use Apps that have end to end encryption, one time sign in then have to approve new device/app instead of constantly entering credentials into WebPages.
Magic Links in emails. Emails should not be “WebPage” accessible. Should be in a locked down App Environment.
The less time the user spends typing and authenticating the less natural it feels, the more they will question if it’s REAL when it does pop up.
nizzoball@reddit
If I get a random MFA request and I didn’t initiate it I’m damn sure not approving it, work or personal that’s just plain stupid
Competitive_Smoke948@reddit
yes, mfa is bloody annoying & I work in cybersecurity. i've got maybe 30 mfa codes on my phone, 5 apps & microshit now are training users to scan qr off the screen!
it's madness. i was lucky on a hack attempt a couple of years back on my hotmail when someone managed toto brute force my password. constant mfa pings; I was LUCKY I was vaguely awake & not stressed & thought about where it was coming from so i didn't say "yes", but one badc day & it could have been Different story.
when i checked my logs, it turns out someone had been banging my account for months & ms never notified me. you can't even notify THEM that someone was trying to hack the account.
MFA is just another way to push security & risk onto the user from a tech industry that doesn't give 2 shits about their customers.
No_Resolution_9252@reddit
could be that your sign on duration is too short if they are getting spammed that hard, or your identity management is a total mess. changing your conditional access policy to require they re-enter their pin may mitigate it some, but it will also annoy the users if they are getting spammed hard with mfa requests. Frankly if you are getting hit frequently enough for this to be a recurring problem, you probably have some other more serious problems than how mfa is configured.
N805DN@reddit
Passkeys!
mediweevil@reddit
users are WAAAY past the point of authentication fatigue.
every single system requires an individual login, nothing syned with single sign-on. some require RSA, some require M$ authenticator. some need a password. others need a passcode. everything times out if not used for 10 minutes because "security", more logins. whoops, citrix just shit itself and killed half a dozen apps you were actively using. log back into that with 2FA and then log back into all of the individual apps you were using. and while you were doing that the ones running locally have timed out and need to be logged back in again.
and that's before I spent most of an hour on Friday logging into stuff that I don't use a lot just to reset the bullshit arbitratry timer that someone has set to disable "unused accounts" for "security". I might not need it a lot but when I need it I need it. so onto my ever growing keep-alive-monthly list it goes, I don't care much time it wastes - it's not my time, it's the company's time. I'm being paid.
users get nastygrams threatening their employment and livelihood if they fail a phishing drill which is nothing more than outright entrapment, although I noticed that's calmed down a bit since the fucking CSO his self-important self failed one recently and it was gleefully leaked.
I don't pretend to have the answer, I'm not a security professional. all I can say is that if that's genuinely the best that can be accomplished, it sucks. hard.
Ekyou@reddit
I don’t have an answer either, but authentication now is absolutely a nightmare for elderly/people with memory issues/low IQs/etc.
My mom has brain damage from chronic illness. She was very tech savvy, and still is to the extent that she can use it. Logging into her bank, or anyone that forces 2 factor, can take all day. She has to remember a secure password (or where she kept it), she then has to find her phone, fumble through her text messages, oh wait they sent it to email, oh they sent 2 emails, which do I use? What, code is expired? Rinse and repeat until she gets locked out and has to call tech support, which eats up the rest of her day…
Yes, we set her up with a password manager, which actually made the problem worse, because now she can’t tell if a password is saved in 1Password or the browser. She updates a password and it gets saved in one place and not the other, or the password manager creates a new entry and now she has 3 entries, and she’s locked out again. We admittedly haven’t tried setting up passkeys with it, which would probably help for sites that support them, but shes lost all trust in password managers, and even with passkeys, they can be too finicky.
It sucks because… my mom is like 90% self sufficient. She even manages to do her own taxes since she’s been doing them for so long. There’s no reason for me to have to manage her finances for her, and she still deserves the dignity to be allowed to manage her own life, finances and spending… except she just can’t handle two factor authentication.
mediweevil@reddit
I totally agree with the impact to the elderly and/or memory impaired. or even just non computer savvy people that are not used to the idea of suddenly needing to remember a heap of unique, complex passwords.
password managers don't really help those people, because they can't cope with with for the same reason they can't cope with the multiple passwords in the first place. my mum is over 80 and is still almost fully independent, but she still clings to a paper notebook full of an ever increasing list of crossed out passwords, despite my telling her over and over that's not a sustainable method.
even the new starter to my team at work is struggling, and he's a beginning IT professional. the sheer amount of security enforced crap we need to wade through to work on anything deemed sensitive has long since become intrusive and offensive, and is now beginning to creep up on untenanble. we've told management this many times, and it's always brushed aside because the frog is being boiled slowly. my response is yeah OK - as long as you understand that we're spending an ever increasing amount of time not working, but fighting to be able to work - just don't complain about our productivity or output as a result, because you allowed it to get this way.
to use one system I regularly need in the future, I will have to:
to run any sort of script using the file I have loaded I can't do that from my normal elevated privilege account because "security". I need to put in a self-serve IT request that temporarily provisions a separate account, which will expire at the end of the day. I then need to do a password reset for that account, which involves a 2FA login. then:
and because the temporary account is unpersisted at the end of ever day, if I'm working overnight on a planned change, fuck me right? this was pointed out to security and they just shrugged and said it "suited most people the best", which is bullshit for "we didn't think of that and since it doesn't affect us, we don't care and we're not going to revisit it". their solution was to not just start until after midnight. but our change window normally commences at midnight, and we have an hour or more of prework before then, how does that work? hmm, apparently we either have to delay that until midnight which cuts into the change window itself, or just accept that we'll be kicked out of everything at midnight and need to stop and redo everything then just to be able to continue.
I am not remotely exaggerating this.
and when I bitch about it to management, all they say is that the alternative is that we will have to do everything required elevated privileges - which is basically every single thing I do other than e-mail - from a physically secure facility with a secure VLAN only terminated there, which means no more WFH, ever.
NightMgr@reddit
I have a few users who like to go find their phone when MGA is needed.
Free ten minute break and walk to the parking lot.
First_Slide3870@reddit
So i dealt with this on my personal account not too long ago. I ended up changing my authenticator to google authenticator because consumer accounts seem to be forced to use push if you use Microsoft authenticator.
All this to say, if you tune the auth method and conditional access policies on a tenant with business premium, you can eliminate these attempts. Even geo-blocking can eliminate TONS of attacks.
babywhiz@reddit
Yea but with both authenticators if you wipe the device all your keys are gone and good luck getting back into 90% of your accounts after that.
First_Slide3870@reddit
I mean, an MFA administrator can remedy this. If one is inclined they can create a "break glass" account and multiple admin accounts (As they should).
On a personal account, there seems to be a block on having multiple active devices for a single auth method. Also with a google or MS account you can log in to your new device and your auth keys reappear/reload. Could even go as far as using a password manager for OTP and then its surefire...
I was getting push 30+ notification a day with MS authenticator.
scytob@reddit
yes, this has been this way for years, move to a system like EtraID where they have to enter the number they see on scree, or something like pureauth passwordless
Danny-117@reddit
Move to passkeys, then you don’t have to worry about it.
alficles@reddit
I'm going to be honest, I struggle with the passkey fatigue. Well, not just that, but that's part of it. I arrive in the morning and sit at my laptop. I type my password to unlock it. I then connect to the network. This requires another password. Then, I pull out my phone and enter the pass code to unlock it. I open the camera app and point it at the QR code on the screen. I touch the pass code button. It thinks for a few seconds and connects. I select my account, then I have to enter my pass code again. Now I am on the network.
I then need to log into my hosts. For this, I need a new cert. The tool for this performs another passkey login, but because this is listed as a "secure app", it requires a repeat of the process from a minute before. Once I have it, I can log into the host. This prompts me to unlock my key, which means typing yet another different credential to unlock my hardware key, then touching the key physically to prove my presence.
Then, I'm in. At least, until my session expires two hours later. The amount of physical manipulation of different elements is frustrating.
Danny-117@reddit
That is very much not a good user experience, in my eyes in an ideal situation you would login to your workstation password less with windows hello or something like it. Everything at the user level would be SSO and you may require to once passkey MFA to start your user session for the work day.
Then if you require to use an administrator account you would login to a jump box and we required to password less passkey Auth into the admin zone, from there again everything should be SSO for that session and you shouldn’t need to MFA again.
kingreq@reddit
This. Most of the friction has nothing to do with passkeys.
You shouldn’t have to use password to open the computer or log into the network for starters. SSO and biometric authentication should be pretty standard nowadays.
xueimelb@reddit
Okay, but for same environments passkeys are good.
babywhiz@reddit
And THIS is why CMMC is so cumbersome. I guarantee you some sysadmin made it like that because of the interpretation of the controls.
BeanSticky@reddit
MFA fatigue IS a problem, but there’s plenty of solutions already available to solve it.
WHfB for Windows or Secure Enclave for macOS are passwordless & phishing-resistant forms of authentication tied to a managed device. Our users can go weeks without ever seeing an MFA prompt on our Intune-managed devices.
We also deploy YubiKeys to users that need to use shared workstations, which doesn’t necessarily decrease the amount of MFA prompts but it at least makes it much more difficult (if not impossible) for AiTM attacks or other phishing methods.
BadSausageFactory@reddit
Our MSP complained that the users don't reply when they follow up on an email reported as phishing. The email they send is marked external sender, doesn't say our company name, and has a big button CLICK HERE TO TALK TO AGENT and they don't know why people don't reply
meanwhile I'm assuming most of the clients have the MSP on their spam list by now but I'm not mad, I'm proud of every single paranoid one of them and told the MSP 'that's a you problem'
JamesRustl3r@reddit
Other than padding hours, I don't get why an MSP would want to talk to users after email are reported as phishing.
BadSausageFactory@reddit
pretty standard in my experience, and we expect ours to follow up too. they want to know if the user interacted, get context. if we were just ignoring it we'd ask them to delete.
ValeoAnt@reddit
Should've changed to number matching at least 2 yrs ago
CptZaphodB@reddit
That doesn't help when phishers aim to steal your tokens. If users get the prompt too often, they won't question it when a phishing attack prompts them
ValeoAnt@reddit
Irrelevant, it is still better than not doing it
Jhamin1@reddit
Not really. Every security feature that adds cognitive load to the user not only makes them less likely to notice anything wrong, it also makes them increasingly likely to table flip and start refusing to do it at all.
If you add enough security overhead someone important is going to convince someone important to order you to reduce or eliminate how much the users have to do. Its the same as saying 9 padlocks are better than 3. That is correct... but at some point people stop opening all the locks and demand their removal.
ValeoAnt@reddit
If you think number matching is giving more overhead then you or your company simply do not care enough. It stops roughly 50-75% more push based phishing attacks. That is worth it.
We moved to WHFB and users don't even have to remember passwords anymore.
b4k4ni@reddit
I think in his case this goes deeper that just one MFA system. We also use MFA and WHFB and are rolling out/testing other systems like FIDO or pw less, It really depends on what your services or apps are using or support. We have some systems, that only support TOPT or similar.
That's why op was asking about that fatigue - and I can fully understand him. I have to use this on so many services today, a lot of private too, and it is exhausting at times. It is needed, no question, but how to improve on that.
I'm also trying to set up passkeys for my private accounts where it is supported :)
FarmboyJustice@reddit
User cognitive overload is never irrelevant, it's one of the core principles of effective social engineering attacks.
skylinesora@reddit
Yes, it doesn’t help but it’s still progress. I think people fail to realize that defense is in depths. It’s not all or nothing
PelosiCapitalMgmnt@reddit
If users are getting promoted often then it’s an issue with your policies or your setup. Seamless SSO helps with that along with proper CAP policies to only prompt From unmanaged devices.
billy_teats@reddit
Don’t even prompt from unmanaged devices. Just deny. Well I guess the workflow would still prompt first. But most businesses should only be allowing sign ins from managed (and compliant) devices
babywhiz@reddit
This is incorrect. Microsoft loves to reset things for users all the time. I’ve had the same computer for 3 years and I have to MFA all the time, just for Office licenses (files and email are stored on prem so it’s not like they can find anything more than a bunch of Office installs if the bad guys get in. They can’t even access on prem AD.)
mapbits@reddit
Seamless SSO in Entra Connect (in case OP is searching by name) is not secure and should be disabled where possible.
Starting fresh, I'd be looking at Cloud Kerberos Trust / Hello for Business on workstations, Authenticator Passkeys and maybe synced passkeys on mobile, though I feel better with attestation enforced for future threats. Hardware FIDO2 keys to fill any gaps.
In our environment, all workstations are WHfB and token season is set to one day, renewing in the background whenever a user unlocks - we could probably go shorter. We also use Global Secure Access to gain token protection by default - super powerful combination with generally good UX.
Just wish we could set the region for GSA egress IPs to our tenant region, users are SO annoyed by websites (like Microsoft / Bing) that present different content based on GeoIP.
Still working on getting everyone on Authenticator Passkeys so we can relax MFA session expiry on mobile devices.
AdmRL_@reddit
No one said it helped with a cyber sec issue?
Hollow3ddd@reddit
Yea, and most of that is generally easy to avoid with some decent training.
I’m shocked this isn’t fixed yet.
saymepony@reddit (OP)
Yeah… we’re behind on that. Need to fix it soon.
BCIT_Richard@reddit
We've seen this, users approving MFA prompts despite not trying to sign in.
DUO began rolling out Verified DUO Push, which shows a 3 digit combo at the bottom of the window the user needs to enter, I also remember when Google first rolled it out and I'd sign in to an app on my phone, the Google auth app would open before I could read the number I needed, leaving me often time having to guess.
iceph03nix@reddit
This is why MS switched to asking for a number with the push so you couldn't just click approve any time it popped up
AbsurdKangaroo@reddit
Stop requiring 2fa for everything once already logged in....
Should be once at start of day and done never understand why more prompts occur this device has authenticated as me in the last few hours no need for re prompts for every other service.
ig88b1@reddit
Have you met microsoft? click the "remember my login" button and the NEXT SCREEN will be another sign in prompt
skylinesora@reddit
Why are you still using push notifications and not at least number matching?
MrSanford@reddit
Could someone let me know if this thread is full of people that don’t understand AiTM attacks and phishing resistant MFA so I don’t get butt hurt reading the comments?
Academic-Proof3700@reddit
Its the outcome of orgs trying to mfa everything instead of say just connecting through vpn. If i gotta click once a day, then I know when to expect the popup. If I were to fuck around with constant popups cause i need to login to 5 services each with mfa, and thats inside org, then the problem isnt me, but the org's gestapo policy.
it4brown@reddit
MFA fatigue has been around a while. That's why we don't allow push notifications.
Neither_Bookkeeper92@reddit
Yeah this is a known problem and it's only getting worse. MFA push fatigue was literally the attack vector used in the Uber breach a couple years back — attacker just spammed the employee with push notifications until they approved one.
A few things that actually help:
Number matching — If you're using Microsoft Authenticator, enable number matching. Instead of just "Approve/Deny," the user has to type a 2-digit number shown on the login screen. This alone kills most fatigue attacks because the user has to actually look at both screens.
Reduce prompt frequency — If users are getting MFA'd 15 times a day, of course they stop paying attention. Look at conditional access policies to reduce unnecessary prompts (trusted devices, compliant device policies, session lifetime tuning).
Move to phishing-resistant MFA — FIDO2 keys or passkeys through MS Authenticator are the real answer long-term. No prompt to approve means no fatigue to exploit. Windows Hello for Business is another option that's basically free if you're already on Entra. Attackers are now using AI to time push bombing attacks perfectly, so simple push notifications are increasingly inadequate.
Alert on rapid denials — Set up alerts for when a user denies multiple MFA prompts in quick succession. That's almost certainly an active attack in progress.
The uncomfortable truth is that simple push-approve MFA is becoming legacy tech at this point. The sooner you can move to passwordless or phishing-resistant methods, the better.
Root777@reddit
We switched to yubikeys, you must be physically there.
hobovalentine@reddit
That’s why it’s better to disable the push feature so people are less inclined to just automatically approve without thinking.
As a user it sucks but disabling push stops most of the automatic approvals without analyzing whether they really should approve or not
MeetJoan@reddit
Number matching fixed the mindless tap problem but the real issue is prompt volume. If MFA fires constantly throughout the day it becomes background noise - users stop seeing it as a security event.
Reducing how often the prompt appears (tighter CAP policies, SSO where possible) probably does more for actual security posture than any method tweak. Rare prompts get noticed. Constant ones don't
Elygian@reddit
Why on earth would anyone use MFA that doesn’t use number matching?? You mean people are literally just pressing approve on an MFA ping even when they’re not actively logging in?
zhantoo@reddit
Pop-up fatigue is a real thing.
fdeyso@reddit
Number matching…..
Chao7722@reddit
Configure multiple Conditional Access policies for different scenarios, such as location-based MFA and number matching. Use phishing-resistant authentication methods like passkeys on smartphones or hardware tokens such as YubiKey, preferably the Bio variant where feasible. When passkeys are used, MFA prompts can be triggered more frequently with minimal user friction, for example a PIN entry or biometric verification.
If users consistently approve the few authentication prompts blindly, just have managers deal with them.
OkEmployment4437@reddit
number matching basically solved this for us overnight. once users had to actually look at a number on screen instead of just hitting approve, the mindless tapping stopped. but the other thing we did that honestly mattered more was tuning conditional access so they weren't getting prompted 15 times a day. if every app and every session triggers MFA people just stop caring, its background noise at that point. we cut it down to maybe 3-4 meaningful prompts per day and suddenly users actually paid attention again when one popped up.
DarthJarJar242@reddit
Yep. Had the lead engineer in our cyber-range get compromised because he was successfully phished and then approved not one but three different MFA prompts to access his accounts. They changed his password and while our systems did flag everything nothing was actually actioned until after HR had already contacted the user to ask if he had intended to change his direct deposit account.
Pretty rough one. He didn't work for us very long after that incident.
blbd@reddit
You have to switch to phish proof authentication methods. Like device trust. Or matching something in the MFA prompt.
Ok_Wasabi8793@reddit
Yea to number matching.
corruptboomerang@reddit
Use the one that asks you up pick the right number. You can't 'approve' it if it's not correct.
SpecialRespect7235@reddit
Aside from enabling number confirmation, you should look into SSO and work to reduce the number of MFA prompts people need to go through. That way they take the prompts that they still get seriously.
AlkalineGallery@reddit
If you use mfa prompts that are a simple click to allow, your security team needs to be fired.
finalpolish808@reddit
Yes, so we enforce code entry now.
Accomplished_Fly729@reddit
???? Is push even possible anymore outside of the nps extension???
Ok-Double-7982@reddit
What? No.
hitman133295@reddit
This is why you don’t allow push notifications
imnotsurewhattoput@reddit
For the most part it works well and users report suspicious pushes but there are some users who just accept everything. We usually find those looking through logs after an incident