How Zero Trust can help combat MFA fatigue

Multi-factor authentication (MFA) has become a go-to solution for cybersecurity. However, with constant pop-ups plaguing users’ devices, complacency has become another challenge hampering the strength of this defence. So, what’s the solution? Tim Mercer, Vapour CEO, talks about the threat of MFA bombing and explores how to combat the noise with zero trust network architecture (ZTNA), employee empowerment, disaster recovery contingencies, and more.

A step up from its predecessor, two-factor authentication (2FA), MFA has become the cybersecurity solution of choice for most businesses. A core component of any strong identity and access management policy, it requires users to enter information from a number of independent criteria before gaining entry to a certain device, account, or resource. But it’s not the silver-bullet solution many might think.

An overwhelming 95% of organisations have embraced MFA in some capacity, according to IDEE. Yet, a disconcerting 50% of IT leaders expressed a slight confidence crisis when describing their solution as only ‘somewhat effective’ against cyberattacks.

There’s no saying why decision makers are putting so much faith in bad MFA. Perhaps it’s their fatalistic outlook — viewing breaches as a matter of ‘when’, rather than ‘if’ — that makes them gravitate towards MFA as the accepted best-in-class solution, often without critically assessing its efficacy. That's not to say MFA is inherently flawed. Rather, relying on it as a standalone solution isn’t enough to combat modern threats.

The threat of MFA bombing

MFA fatigue is real. Users are swarmed with so many access notifications every day — emails, SMS messages, mobile pop-ups, and more — that it becomes overwhelming to know what's real and what isn't. But it's this exact feeling that threat actors prey on. With MFA bombing, you'll be inundated with a barrage of seemingly legitimate access requests in an attempt to gain entry to your sensitive accounts and data. In the heat of the moment, you might be tempted to click 'allow' without a second thought.

This is exactly what cybercriminals are banking on, and what makes MFA bombing so insidious. It’s cheap, and it’s simple. It doesn't require sophisticated technology or elaborate schemes. Instead, it preys on our vulnerabilities as busy, distracted individuals navigating a digital landscape filled with constant interruptions. And, while it’s not a new attack as such, it’s growing more convincing.

In one of the more recent incidents, threat actors exploited a bug in the Apple ID password reset system to gain entry to users’ accounts. The elaborate scheme worked by displaying system-level prompts on devices, preventing them from being used until ‘allow’ or ‘don’t allow’ had been selected. If that step failed, perpetrators went on to spoof the Apple customer support number and ask the victim to ‘verify’ a one-time code.

It goes without saying, then, that a multi-layered approach to cybersecurity is more important than ever right now. In an era of hybrid working, where decentralised IT systems complicate threats, making it more difficult to bypass and impersonate users is key.

Integrating Zero Trust principles

‘Never trust, always verify’ is the essence of ZTNA. By treating all networks, users, and devices as suspicious, it ensures every access request, regardless of its origin, undergoes stringent validation before entry is granted. From device health to user behaviour, this validation process continues during usage too, minimising the risk of threat actors infiltrating the network and accessing sensitive data.

At this point, you might be thinking, “what’s the difference between this and MFA?”. At first glance, they seem similar. However, MFA is just one component of the broader Zero Trust strategy, verifying the user’s identity through factors like passwords, biometrics, and security tokens. ZTNA, on the other hand, goes one step further — continuously evaluating the user's authorisation in real-time, even after initial authentication.

With the integration of MFA into ZTNA, unauthorised access can still be prevented, even if a user’s primary authentication factor is compromised. So, it’s truly robust. 

Empowering your strongest (or weakest) asset

But successful cybersecurity strategies shouldn’t just hinge on tech. If MFA bombing teaches us anything, it’s that humans can be an organisation’s biggest (or strongest) weakness. So, empowering employees with insights on the latest threats, and knowledge on how to overcome them, is key to protecting the business at large.

And that doesn’t just mean handing over a training manual for passive consumption. Fostering a culture of vigilance and accountability, through ongoing training initiatives, encourages employees to take ownership of their cybersecurity responsibilities — maximising the security posture of business across the board. From frontline staff to senior executives, everyone has a role to play in protecting sensitive data and assets from rising threats.

Always have a ‘plan B’

No matter how secure your defences, there’s always a chance something will slip through the cracks — not least with the current pace of change. That’s why you need a safety net. Disaster recovery plans act as a critical damage control mechanism if the worst-case scenario becomes a reality. It’s not just about backing up your data (although that’s crucial too!). Instead, it’s about having comprehensive protocols in place to identify and contain breaches, before restoring systems and data, and communicating with stakeholders. 

More importantly, it’s not a one-and-done deal. It's an ongoing process that requires regular testing, updating, and refinement to ensure  effectiveness. By plugging time and resources into disaster recovery planning, you're investing in the resilience and longevity of your business. In such a competitive market, where downtime can spell disaster for both finances and reputation, this has never been so crucial.

Backed by more than a decade of experience, and with deep-rooted relationships with the industry’s most elite security specialists — including Veeam and Fortinet — we understand this complex world inside out.

Don’t let cybersecurity headaches keep you awake at night. Talk to our seasoned experts about our cloud security toolkit, and unlock true resilience today.

Posted By Vapour Comms Team

The A-Z of Workplace technology.

Request your free guide here…
  • This field is for validation purposes and should be left unchanged.

Warning: Undefined variable $prev_title in /home/vpsckat22/public_html/wp-content/plugins/oxygen/component-framework/components/classes/code-block.class.php(133) : eval()'d code on line 7
sign up for latest news
  • This field is for validation purposes and should be left unchanged.