Main menu (IT)

Week 3 - Multi Factor Authentication

Once finished securing your passwords across all accounts following the guidelines outlined in last week's data protection post, it is time to take it a step further. This week we will learn about the added benefits and features that multi-factor authentication (MFA) brings to your #BeCyberSmart life. Actively practicing MFA in your daily online life, such as CSUN has been doing so with the use of Duo Mobile, which will drastically decrease the risk of your account(s) being compromised.

What is Multi-Factor Authentication?

Multi-factor authentication (MFA) is a second layer of security that is added to your online accounts. When you have MFA enabled on your accounts, you are directed to input your credentials, such as email, username, and password, like you would normally. After your credentials are cleared, you are sent a push notification to your phone, which you need to approve to log in. This is the second layer of security or authentication that MFA brings to your accounts. If your credentials get into the wrong hands of a nefarious hacker, they will not be able to gain access to your account because they need your phone to approve these login attempts.

Enterprises have increasingly adopted multi-factor authentication to prevent users from logging into a network without first entering an additional form of verification. This additional information can be a one-time passcode, a prompt asking you to verify the login attempt, or the use of hardware security keys.

While threat actors can use numerous methods to bypass multi-factor authentication, most revolve around stealing cookies through malware or man-in-the-middle phishing attack frameworks, such as evilginx2.

However, a social engineering technique called 'MFA Fatigue', aka 'MFA push spam', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.

MFA Fatigue

Spammers and hackers have learned how to generate multiple MFA push notifications to a target user. The goal is to wear the user down so that they eventually approve one of those spam notifications. Therefore, if you are an employee who is the target of an MFA Fatigue/Spam attack, and you receive a barrage of MFA push notifications, do not panic, do not approve the MFA request, and do not talk to unknown people claiming to be from your organization.

CSUN and Duo Multi-Factor Authentication

CSUN continuously researches, develops, and implements new security measures to stay safe in the ever-evolving online world. Our mindset is always to be #BeCyberSmart, and to accomplish this, CSUN has implemented Duo MFA so that Faculty, Staff, and students can better protect their accounts. If you are not already enrolled with Duo on your CSUN account or want more information about Duo mobile, click here.

Where Else Can I Use Multi-Factor Authentication?

Many websites/organizations have implemented or are implementing multi-factor authentication to their online resources. Government accounts such as IRS and SSA accounts have already implemented MFA. Other important institutions, such as banks and medical care resources, have also implemented this security feature. To enable MFA, you must log in to their online portals and enable multi-factor authentication within their security settings. It is important to note that your institutions may not use Duo. Instead, they may use a different MFA application. No need to worry; at their core, they function similarly and are not drastically different from a user's perspective.

Return to October National Cyber-Security Awareness Month 

Follow along each week of October as we give tips to help keep your online life safe and secure. Share your appreciation for NCSAM with #BeCyberSmart and #CyberAware.

Visit: Week 1           Week 2            Week 3            Week 4