What is Duo Fatigue? Why is It Dangerous?

Several years ago, UVA Information Security brought Duo multi-factor authentication to almost all University online accounts. This service protects you, the user, from the bad guys who may have stolen your computing ID and/or password. Even if they try to log in with stolen credentials, YOU still have to authorize their access with Duo, whether with a phone call or an app alert on your phone.

The bad guys have learned that if they bombard you with repeated Duo requests, there’s a good chance you will just press APPROVE to stop the annoyance. If you do that, your account and all its assets are then available to the hackers – payroll, email, everything.

It’s easy to stop this – just don’t press Approve unless you have asked to login. Duo (and UVA) NEVER EVER ask you to authenticate out of the blue – the authentication request has to come from you.

If you think the bad guys are trying to wear you down, press the Red Deny button in the smartphone Duo app. If you get a phone call, press 9 to report fraud.  You may also report multiple Duo notifications that you did not initiate to [email protected] or call the UVA help desk at 434-924-4357.

Information Security may call you or send you an email from ServiceNow with alerts about your Duo activity. Please take the time to read these and respond if you think there is an issue.

For more information on Duo/MFA fatigue, see the article:  https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/
For more information regarding MFA and its benefits, see the article:  https://www.cisa.gov/MFA

By: Tony Townsend
March 3, 2023


Source URL: https://security.virginia.edu/what-is-duo-fatigue