Two-factor authentication (also known as, “Multi-factor Authentication (MFA)”) provides an extra layer of security for your accounts, but it’s important to think before you click. Cybercriminals can use an attack method called 2FA prompt bombing to bypass 2FA protections and overwhelm you with prompts via the Push feature of Duo.

For example, cybercriminals may try to log in to an account using your credentials, then request a push 2FA verification, which sends the prompt to your phone. Cybercriminals often request these verifications late at night when you’re asleep and unprepared. If you accept the push and verify your identity, you may grant the cybercriminals access to your account. Once cybercriminals bypass your 2FA, they can use your account to achieve their malicious goals.

Don’t let 2FA give you a false sense of security. Follow the tips below to protect yourself from 2FA prompt bombing scams:

• Never approve a 2FA Push notification on Duo that you did not request. 
  If you use a shared departmental account, while not advisable or authorized, verify the request with the other account holders before taking action.
• If you receive a 2FA push notification which you did not request, you should immediately change your password for the associated account. You should also consider updating your passwords for any accounts that use the same credentials.
• Create unique, strong passwords for each of your accounts. Without your password, it is difficult for cybercriminals to reach the 2FA step of the login process.

If you suspect a 2FA prompt bomb, first decline the request and then follow up with questions or concerns by contacting the OIT HelpDesk at 865-974-9900.