With hackers looking for any way they can to gain access to your personal information via every form of phishing scheme, it’s critical to take every precaution to protect your data. Multi-factor (MFA) authentication is one way to boost account security, but it has to be employed correctly, and even then, you should be on the lookout for malicious prompts that give bad actors the codes they need to log in easily.
Two-factor authentication can be compromised
First, a reminder that two-factor and multi-factor authentication are not necessarily made equal. 2FA uses exactly two factors to verify a user’s login, and both can be something the user knows, such as their password plus a PIN or SMS code. MFA, meanwhile, requires at least two independent factors, like a password (a knowledge factor) plus a biometric ID (an identity factor) or a time-based, one-time password (a possession factor) from an authenticator app.
Knowledge factors (and some possession factors) can be phished relatively easily, which is why 2FA codes sent via SMS are the worst option for authentication, especially if you have alternatives. Bad actors may also try to trick you into engaging with fake 2FA prompts.
How to identify malicious 2FA prompts
One way hackers get past 2FA is by wearing you down with repeated authentication requests, a tactic known as prompt bombing. You may get dozens, even hundreds of push notifications to your phone in a short amount of time or late at night when you’re less likely to be thinking clearly. Threat actors are counting on the fact that if you get annoyed enough, you’ll eventually approve one of them. Don’t. If you get a 2FA prompt when you’re not trying to log into one of your accounts, that’s an instant red flag.
Another sign of a malicious prompt is that the attempted login is coming from an unfamiliar device or region—for example, a Google notification for a Windows machine when you’re a Mac user or a location in an entirely different country. You should also be wary of prompts with pop-ups that request permissions unrelated to the app or service itself, like the ability to access all of the contacts on your device.
What do you think so far?
Hackers may also contact you by phone, text, or email to request your 2FA SMS codes. It is easy to spoof phone numbers and email addresses, so you shouldn’t trust caller ID or a sender even if it looks legitimate. Companies won’t call unsolicited to demand your password or authentication code, so hang up or ignore these messages.
Bottom line: If you receive suspicious 2FA requests via push notification, text, or other method, ignore them, and change the password on the related account by going directly to the website or app, never via the prompt itself, as this may lead you to a phishing site that could further compromise your information. If you do accidentally interact with malicious prompts, look for signs of a scam, such as sneaky or lookalike characters in web addresses and poor spelling or grammar.
