With hackers looking for how they can access your personal information via each form of phishing scheme, it is essential to take all precautions to protect your data. Multi-faters’ authentication (MFA) is a way to stimulate account safety, but it must be used correctly, and even then you should be looking for malicious prompts that give the wrong actors the codes they need to connect you easily.
Authentication with two factors can be compromised
First, a reminder that two factors and multi-factor authentication is not necessarily equal. 2FA uses exactly two factors to check the connection of a user, and both can be something that the user knows, like his password plus a PIN or SMS code. The MFA, meanwhile, requires at least two independent Factors, like a password (a knowledge factor) plus a biometric ID (an identity factor) or a time -based punctual password (a possession factor) from an Authenticator application.
Knowledge factors (and certain possession factors) can be sentenced relatively easily, which is why codes 2FA sent via SMS are the worst authentication option, especially if you have alternatives. Bad actors can also try to encourage you to get involved with false 2FA prompts.
How to identify the malicious 2FI prompts
A way in which hackers exceed 2FA is to bring you with repeated authentication requests, a tactic known as the rapid bombardment. You can get dozens, even hundreds of push notifications on your phone in a short period of time or late at night, when you are less likely to think clearly. Threat actors rely that if you are bored enough, you will end up approving one of them. Don’t do it. If you get a 2FA prompt when you don’t try to connect to one of your accounts, it’s an instant red flag.
Another sign of a malicious prompt is that the connection attempt comes from an unknown device or region – for example, a Google notification for a Windows machine when you are a Mac user or a location in a completely different country. You must also be wary of prompts with contextual windows that require authorizations unrelated to the application or service itself, such as the possibility of accessing all the contacts of your device.
What do you think so far?
Pirates can also contact you by phone, SMS or e-mail to request your 2FA SMS codes. It is easy to identify phone numbers and email addresses, so you should not trust the caller ID or a sender even if it seems legitimate. Companies are not called upon to demand your password or authentication code, so hang up or ignore these messages.
Conclusion: If you receive suspicious 2FA requests via push notification, text or any other method, ignore them and modify the password on the related account by going directly On the website or application, never via the prompt itself, because it can lead you to a phishing site that could further compromise your information. If you accidentally interact with malicious prompts, look for signs of a scam, such as sneaky characters or lookalikes in web addresses and bad spelling or grammar.
