Tag: multi-factor authentication

  • We all know MFA is important, but many users are expressing symptoms of “MFA fatigue”

    We all know MFA is important, but many users are expressing symptoms of “MFA fatigue”

    Multi-factor authentication, commonly called MFA, has become one of the most important protections a business can put in place. It helps stop attackers from getting into company accounts even when a password has been stolen, guessed, reused, or leaked in a breach. However, there is a real problem many businesses are running into: people are tired of MFA prompts.

    Employees are juggling email, Teams, payroll systems, accounting tools, CRMs, file sharing platforms, vendor portals, and remote access systems. When every app seems to ask for another code, another approval, or another phone notification, MFA can start to feel like a daily annoyance instead of an important security control.

    That frustration is understandable. But turning MFA off, weakening it, or only applying it to a few users is not the answer. The right answer is to build an MFA strategy that protects the business without making employees miserable. Passwords are no longer enough to protect business accounts. NIST notes that MFA adds protection by requiring more than just a username and password, using a combination of something you know, something you have, or something you are.

    For a small business, one compromised account can create a chain reaction. If an attacker gets into email, they may be able to reset passwords for other services, read invoices, impersonate executives, redirect payments, access sensitive files, or launch phishing attacks against clients and vendors. That is why MFA matters so much. It creates a second barrier between a stolen password and your business data.

    The problem is that not all MFA is equally strong. Microsoft has warned that traditional MFA methods like SMS codes, email one-time passcodes, and basic push notifications are becoming less effective against modern attackers, especially when attackers use phishing, social engineering, or MFA bombing to wear users down. In other words, the goal should not simply be “turn on MFA.” The goal should be to use the right kind of MFA in the right places.

    First let’s identify what we mean by “MFA fatigue”, MFA fatigue can mean two different things. first is normal user frustration. Employees get annoyed when they are prompted too often, especially if prompts feel random, repetitive, or disruptive.

    The second is an actual attack technique. In an MFA fatigue or “push bombing” attack, a criminal already has the user’s password and repeatedly sends MFA approval prompts, hoping the user eventually taps “approve” just to make the noise stop. Microsoft specifically identifies user fatigue and MFA bombing as ways attackers bypass weaker authentication methods. This is why businesses need to treat MFA fatigue seriously. It is both a usability issue and a security issue.

    Some businesses technically have MFA enabled, but only in a limited or inconsistent way. That can create a false sense of security. Common issues include:

    • MFA is required for some employees but not all.
    • Admin accounts are not protected with stronger authentication.
    • Email-based MFA is used as the primary method.
    • SMS codes are allowed for sensitive accounts.
    • Employees receive push prompts without number matching or location context.
    • Legacy authentication methods are still allowed.
    • Former employees, contractors, or shared accounts are not reviewed.
    • MFA recovery processes are informal or undocumented.

    These gaps matter, attackers usually do not need access to every account. They only need access to one useful account. A compromised mailbox can lead to business email compromise, fraudulent payment requests, client impersonation, data theft, or ransomware. For businesses that work with regulated data, financial information, legal documents, healthcare information, or client confidential records, the risk is even higher.

    A good MFA strategy should be strong, simple, and consistent. It should protect the business while reducing unnecessary friction for users. First, require MFA for every user. MFA should not be limited to owners, managers, or employees who “handle sensitive information.” In a modern cloud environment, almost every account has some level of business risk.

    Second, prioritize stronger authentication methods. App-based MFA is better than SMS or email-based verification, but phishing-resistant methods are better still. Microsoft describes passkeys as phishing-resistant credentials that can serve as an MFA method, and notes that they can reduce prompts while improving security.

    For most small businesses, a practical MFA roll out path looks like this:

    1. Eliminate email-based MFA wherever possible.
    2. Move users to an authenticator app with number matching.
    3. Use passkeys or security keys for administrators, finance users, executives, and anyone with access to sensitive systems.
    4. Keep SMS only as a temporary fallback, not the preferred method.
    5. Document account recovery so users are not locked out when phones are replaced or lost.

    Microsoft also notes that number matching is critical to reducing accidental MFA approvals, especially as MFA fatigue attacks increase. The best MFA setup is not the one that prompts users constantly. The best setup is the one that prompts users when it actually matters.

    Small businesses can reduce MFA fatigue by using smarter access policies. For example, users may not need to be prompted every single time they access a trusted app from a managed device in a normal location. But they should absolutely be challenged when signing in from a new device, an unusual location, a risky session, or a sensitive admin portal. This is where conditional access policies can help. Instead of treating every login the same, conditional access allows the business to apply stronger controls based on risk.

    A good policy may consider:

    • Who the user is
    • What app they are accessing
    • Whether the device is trusted
    • Whether the sign-in location is expected
    • Whether the account has administrative privileges
    • Whether the session appears risky

    This gives employees a smoother daily experience while still applying stronger controls when the risk is higher. MFA is not just a technical setting. Employees need to understand what to do when they receive a prompt. The rule should be simple: never approve an MFA prompt you did not initiate.

    If an employee receives an unexpected MFA prompt, that may mean someone already has their password. They should deny the request and report it immediately. Users should not ignore it, approve it, or assume it is a glitch. Training does not need to be complicated. A short, clear explanation is usually enough:

    “MFA prompts should only appear when you are actively signing in. If you get a prompt you did not request, deny it and contact IT.” That one rule can stop a serious  incident.

    Also, Administrative accounts deserve extra protection. These accounts can often change security settings, reset passwords, access sensitive data, create new users, modify mail flow, and approve applications. For admin accounts, stronger MFA should be required. Passkeys, FIDO2 security keys, or other phishing-resistant methods are strongly preferred. NIST also recommends phishing-resistant authentication for sensitive applications and users with elevated privileges. Business owners, finance users, HR users, and anyone who can approve payments or access confidential client data should also be considered high-risk.

    Special consideration should also be taken when addressing new employees. MFA should be built into onboarding, role changes, and offboarding. When a new employee starts, they should be enrolled in the correct MFA method from day one. When someone changes roles, their access and authentication requirements should be reviewed. When someone leaves the company, their sessions should be revoked, their account should be disabled, and their access should be removed promptly.

    This is especially important for small businesses because responsibilities often overlap. One person may handle finance, HR, operations, and vendor relationships. That makes account security even more important.

    The bottom line is MFA fatigue is real. Employees are tired of excessive prompts, confusing login flows, and security tools that get in the way of work, but avoiding MFA is not a realistic option. The risk of account compromise, payment fraud, data theft, and business disruption is too high. The better approach is to modernize MFA. Require it consistently, move away from weaker methods, use phishing-resistant authentication where possible, reduce unnecessary prompts, and train users to recognize suspicious activity.

    Security should not feel like punishment. Done correctly, MFA can become a normal, low-friction part of doing business safely. If your business is still relying on passwords alone, email-based MFA, SMS codes, or inconsistent MFA policies, now is the time to review your setup. Valley Techlogic can help evaluate your current Microsoft 365 and cloud security configuration, identify gaps, and build an MFA strategy that protects your business without overwhelming your users. Learn more today with a consultation.

    This article was powered by Valley Techlogic, leading provider of trouble free IT services for businesses in California including Merced, Fresno, Stockton & More. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on X at https://x.com/valleytechlogic

  • Our UPDATED Guide to MFA (Multi-Factor Authentication)

    Our UPDATED Guide to MFA (Multi-Factor Authentication)

    Last year we had an article on our top picks for 2-factor authentication and we’ve touched on what makes a good password before. We thought it would be a good idea to refresh our advice on this topic and combine our tips into one easy to revisit guide.

    One thing that we surprising haven’t recommended often before but would like to now is implementing Microsoft 365 2-factor authentication on your account. We utilize Microsoft products heavily in our business and we find many of our clients are the same, Microsoft software solutions are deeply woven into their day-to-day business activities. You can find our quick guide to implementing it in last week’s article here.

    We’ve also touched on how implementing 2-factor on your Google account could decrease your odds of your account being hacked by half. In many cases it really is as easy as implementing the built in 2-factor settings in the accounts you utilize and you may not even need to install a 2-factor authentication software, you can simply have the codes texted to your mobile device.

    Since this is a guide though we still want to give you a recommendation on that though, for us we’ve utilized Microsoft’s authenticator program for the most part. We also found that Google’s Authenticator and Authy’s Authenticator mobile apps are very easy to use as well.

    It can be a little more convenient to have the 2-factor codes in one place, so you don’t have to request a code be texted every time you login (especially if you have a lot of different login’s you use throughout your workday).

    You may be asking yourself at this point, what’s wrong with just my plain old password? You may have typing it in down to muscle memory and you don’t have to retrieve a code from anywhere. Well, this chart on how long it can take a crack a password based on specific criteria will tell you why:

    How long would it take to break your password?

    Of course, the more complex your password is the greater the difficulty in cracking it, that brings us to our next bit of advice – utilize a password manager and have stronger (and varied) passwords.

    Across the board for Valley Techlogic our employees are using LastPass, we like that it’s cross device and cross platform and enjoy the warnings and alerts it gives us if a password has been possibly compromised or if we’re trying to reuse a password we’ve used before.

    However, any reputable password manager is going to be a big improvement over reusing simple passwords or trying to remember complicated ones.

    Even with a password manager, your passwords being compromised online is the main reason you should consider enabling 2-factor or multi-factor on your accounts. You can have strong varied passwords and your passwords may be leaked due a breach that’s outside your control. Webpages are hacked all the time, and if your banking password is part of a data breach it can then become available to bad actors on the dark web.

    With 2-factor enabled however, it won’t matter if they have your password as they would still need your authenticator program or your mobile device to login to the account. We think it’s worth the (very slight) inconvenience of a few seconds to have that level of security.

    If you’re security conscious and want to go even further, you can also use a security token to lock your device (highly recommended for sensitive work devices). That means the device is useless without the security token to be able to unlock it.

    Enabling multi-factor authentication across your business uniformly can be an uphill battle, but it is one we have experience with here at Valley Techlogic. As security regulations increase, this simple change will make a huge difference in your cybersecurity compliance level. Learn more today with a quick consultation.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • Summer is Here and with it Comes Vacations – Our Top 10 Travel Tech Tips

    Summer is Here and with it Comes Vacations – Our Top 10 Travel Tech Tips

    As we approach Fourth of July weekend, reduced COVID era restrictions have made travel feasible (and desirable) for many across the US for the first time since spring 2020. We all might be a little rusty when it comes to internet safety on the go or maybe you’re looking for tech tips that will make traveling easier? Well, we have you covered.

    Traveling and using your devices away from your home or office network carries some risks. Here are 5 things you should do before you travel to protect your devices.

    1. While traveling sometimes you can’t avoid using a public network, but one good way to protect your device is to make sure it’s been fully updated. That way it will be slightly safer when using less secure networks (although it’s still a good idea to avoid it if you can).
    2. Another good bit of advice is to make sure you have strong passwords, and to have a password manager setup and ready to go on the device you’ll be traveling with.
    3. One tool for traveling and using risky public networks is to enable a VPN, a VPN will help shield your data.
    4. You should also avoid logging into websites that contain important data, like your email or banking website on a public network.
    5. Finally, another good tip if you haven’t done so already is to set up “Find My Phone” on your mobile device. This will allow you to remotely wipe your mobile phone if you were to lose it while traveling (or possibly even find it if it’s still nearby).

    If you’re already on the road or away from home, we also have these 5 tips for making your travel easier with technology:

    1. Power banks are a must have while on the go, having a fully charged power bank on you will make sure you can charge your phone if the battery is low while you’re out and about.
    2. RFID blocking bags can help protect your personal information from intrusive scanning, especially for things like your credit card.
    3. Save pictures you take with your mobile phone automatically to the cloud with a service like Google Photos or Amazon Photos (the pricing for these products is very reasonable as well).
    4. A tip specifically for iPhone users, you can update friends and family on your airline travels just by texting them the airline and flight information. Texting “American Airlines 425” will allow them to tap and automatically see a flight tracker with the flight information. Handy!
    5. Looking for more legroom in your return flight home? Search SeatGuru to find the best seat on a particular flight.

    Company travel is a different can of worms, especially when it comes to securing your office devices while on the road. At a minimum, we recommend enabling 2-factor or multi-factor authentication for company devices – especially those that are used on the go. For Microsoft 365 users, it’s easy to setup multi-factor authentication. Here are the steps:

    Enabling MFA on Microsoft 365

    If your office needs help setting up multi-factor authentication for remote and traveling employees, Valley Techlogic would be happy to assist. Tell us more in a quick consultation.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.