Multi-Factor Authentication (MFA) Fatigue
Oct 28, 2025
Staying vigilant against cyberattacks and keeping your technology secure can be daunting. Cybercriminals are constantly bombarding everyone with phishing and smishing attacks to capitalize on the user’s exhaustion to steal passwords or confidential information (personal identification found in UCD Access, medical information and research, financial and HR information, etc.). That’s why it is crucial to stay vigilant and be extra mindful of those targeting multi-factor authentication (MFA) systems, like Duo, which are intended to add a layer of protection to your data, but only if you pay attention.
Cybercriminals may make repeated MFA requests, sometimes with many requests in a very short period of time, which is known as an MFA (Duo) Fatigue Attack. The malicious actor is hoping you will hit “Approve” just to make the alerts go away. Don’t fall for this tactic, never hit “Approve” unless it’s you; call the Service Desk for immediate help if you experience this.
- Install the Duo app on your mobile device, select the Duo Push option for authenticating.
- Duo Push is the best practice for your authentication method; it is also quick and easy.
- SMS text or phone MFA with Duo is more easily compromised and vulnerable to phishing.
- The app displays the location of the MFA login request to verify that it’s you who is logging into your account. It is crucial to verify the location before approving the Push. If it is not your location, decline the Push.
What To Do When You Get a Suspicious Duo Push:
- Be cautious with Duo requests.
- Review where the Duo request originated from — is it your location?
- Did you make the Duo request -- is the timing correct?
- NEVER approve unexpected authentication requests.
- If your location and the timing of the request DON'T match, your credentials may have been compromised, and it could be a Duo phishing attempt; approving an unanticipated Duo request may grant a cybercriminal access to your account and data.
- Reject the request and contact the Service Desk.
- Change your password immediately if you get a Duo Push you did not prompt.
For more information, visit our Duo Phishing Awareness webpage.
