Unprompted MFA Codes Are Bad News

Multi-factor authentication (MFA) is one of the most powerful tools in your cybersecurity arsenal. When enabled, MFA can prevent bad actors from breaking into your accounts, even when they have your username and password in hand. Because MFA is so powerful against hackers, bad actors are looking to exploit their security whenever possible. As such, if you receive an MFA
March 19, 2024
 / 
meritsolutions
 / 
Image

Multi-factor authentication (MFA) is one of the most powerful tools in your cybersecurity arsenal. When enabled, MFA can prevent bad actors from breaking into your accounts, even when they have your username and password in hand.

Because MFA is so powerful against hackers, bad actors are looking to exploit their security whenever possible. As such, if you receive an MFA request unprompted, ignore it.

What typically happens when you enter your password on an account you have MFA set up for is this: If you have SMS codes set up, the account will text you your MFA code to your number. If you have MFA set up with verification codes, it will ask for the code in your verification app. If you have a trusted device set up as your MFA key, it will ask you to verify on your device.

No matter which form of MFA is used, the idea is that you, and you alone, have access to the MFA code. That way, even if someone else has your password, they can’t see the MFA text on your phone, the code within your verification app, or access your trusted device to verify their identity.

What hackers do, then, is attempt to defraud and trick you into handing over this valuable code. One way, if they do have your account details, is to simply log into your account to trigger the MFA code request. If you have MFA set up as a simple verification, rather than a code, you may be tempted to okay the request on your device and go about your day. However, if you do, the bad actors will be allowed into your account. Bad news.

In another scenario, they may reach out to you as the “company” the account is based from, saying they need to verify your identity, and to please confirm the code sent to your device. They’ll log into your account, which will trigger the MFA code request. If it’s an SMS code, they’ll ask you to send them the code, which, of course, allows them to access the account.

While bad actors are getting more clever with their tactics, you can keep yourself safe by sharing your MFA codes and requests with no one. If your “bank” reaches out asking for your code, don’t share it. If you see an unprompted MFA request pop up on your smartphone, don’t grant permission. Only OK MFA requests and enter MFA codes when you know you are actively logging into the account itself.

Share This

Leave a Reply



Sign Up for weekly MERIT Security Briefing

By signing up, you agree to our Privacy Policy.