Multi-factor Authentication (MFA) is the cornerstone of cyber security and with good reason. MFA makes it harder for cybercriminals to hack your accounts and prevents them from stealing sensitive information. It also acts as a deterrent for less sophisticated cyber criminals who go after low-hanging fruit i.e. those that use weak passwords and no MFA.

Unfortunately, there will always be more sophisticated cyber criminals that look for workarounds or means of bypassing the best security practices – and that’s true of MFA. In the last year, two highly sophisticated cyber gangs have developed a method of bypassing MFA and used it to attack a host of high-profile organisations.

The groups in question – among them Lapsus$ and APT 29– use a method known as MFA Bombing and typically targets your Microsoft accounts or similar. The groups repeatedly enter your username and password, prompting hundreds of requests from your authenticator app to verify your login – inevitably causing frustration or a slip in concentration, at which point the login attempt is verified. Others take a different route, sending a single request each day in the hope of flying under the radar. Either way, it’s an insidious route past an otherwise robust method of security?

Should you be worried? Maybe not worried but definitely wary. In the main, MFA is still a strong line of defense against cyber attacks, and we certainly don’t recommend that you ditch it. There are however steps you can take to mitigate the threat posed by MFA Bombing:

  • Be aware of suspicious activity – and make sure that your team is too. If you start receiving multiple authentication requests or requests that you didn’t make contact with your MSP immediately. Don’t verify any request that you didn’t make.
  • Consider using a more robust alternative to MFA – like FIDO2. FIDO2 is a passwordless authentication system from the FIDO alliance. It works in a similar way to MFA, but requires the user to authenticate themselves on the device they’re trying to access using either fingerprint recognition or a camera
  • Use a hardware authentication device, such as a YubiKey or Nitrokey, that supports FIDO protocol. These devices use asymmetric key cryptography to authenticate you to a site or service, making them nigh on impossible to hack.

Remember, as with all security issues, vigilance is crucial – it’s your first line of defense. If you spot any unusual behaviour or if you are concerned you may have been compromised, speak to an expert.

As ever, prevention is better than cure. If you need to bring your cyber security up to scratch we always recommend the Governments Cyber Essentials. If you need expert advice and opinion, we’re always happy to help. Get in touch at