Recently, the University of Florida has seen a number of account compromises even though they all had Two-Factor Authentication with DUO. These accounts were compromised because the account owners fell for a special type of attack against their account called MFA bombing.
MFA Bombing, otherwise known as “MFA Spamming” or “MFA Fatigue Attack” is a situation where you are repeatedly presented with prompts, usually on your mobile devices, to approve a login. At the University of Florida, this is part of the normal login process for web and other resources after you have supplied the correct password.
If an attacker has your password, and they repeatedly login with it, you will receive a prompt for each login. The fatigue comes in response to receiving the prompt so many times, a person may decide to just approve the prompt so that they do not get bothered anymore. However, when they “approve” the DUO request, they are letting the bad guys into their account.
Let me tell you a story about something that happened to me. Once upon a time, I had a Twitter account (now X) and had setup the security to receive a text message for two-factor authentication, upon login. Every so often I would receive a text message stating, “Your Twitter login code is: 123456” even though I had not attempted to login. I did not immediately understand why this was happening, so I periodically would continue to receive the texts. However, these texts were basically telling me that someone had been using my password to login to my Twitter account. Once I understood that my password had been compromised on Twitter, I logged in and changed my password and those random texts stopped.
For X, SnapChat, or Facebook, a compromised password may not be that important to you. But if this happens to your UF account, a banking institution, or other financial account, the effects can be devastating and potentially not recoverable.
IMPORTANT: if you are receiving a Duo prompt and you were not attempting to login to a UF system, it is likely that someone has your password! Call the UF Help Desk (352-392-HELP) immediately. Alternatively, you can login at https://login.ufl.edu (Click the “Forgot/Reset Password” link) and use a non-default, Duo mode like a phone call or passcode so that you can change your password. However, you need to set those up ahead of time. Here is a link to the UF site to setup or change your MFA settings at UF: https://it.ufl.edu/2fa/
Always be alert to login prompts, especially if you are not expecting it.
UFIT has published a video demonstrating how MFA Bombing works, you can view it at https://www.youtube.com/watch?v=ZKoPU2ESHZI