Be on the lookout for multifactor authentication (MFA) bombing — especially for unsolicited Duo Security notifications on your smartphone.

MFA bombing happens when an attacker bombards you with multiple account-access requests until you get tired of the annoyance and approve one in hopes of making it stop. After succeeding with one approved Duo request, the attacker then leverages that access to infiltrate additional MFA devices. 

About MFA

Don’t be confused by its many names — multifactor authentication (MFA), two-factor authentication (2FA) or 2-step verification. MFA provides an extra layer of security to help safeguard your university account. 

The multifactor aspect is the requirement for you to provide one or more additional factors when logging into an account. Authentication factors can include what you know such as your username and password or what you have such as a physical security key, fingerprint, backup code or facial scan.

MFA helps prevent cybercriminals from hacking into your account in the event they have stolen your username and password. While MFA is a helpful security control, cybercriminals can still hack into your personal and university accounts if you’re not careful. 

Protect yourself from MFA bombing 

• Deny and report unsolicited Duo notifications. If you receive one or several Duo notifications that you did not initiate, do not approve any of them. Instead, select Deny and then Report. This generates a ServiceNow ticket that OIT Security and Compliance will review and investigate.
  • MFA bombing. While MFA bombings often consist of 10s or 100s of unsolicited Duo notifications, NC State’s Duo software locks your university Duo account after 10 unanswered consecutive Duo Push notifications. This safeguards your account while OIT investigates the possibility of cybercriminal activity. Generally, you will receive a Duo push notification only if the attacker has already logged in with your username and password, indicating that your password may be compromised. Changing your password is strongly recommended.
  • Connectivity issues. Not all unanswered Duo notifications are due to cybercriminal activity. Faulty or absent network connections can interfere with the Duo Push notifications you initiate; for example, if Wi-Fi or cellular connectivity is spotty or unauthorized, you may need to resend a Duo Push notification until you successfully receive one. If your requests go unanswered 10 consecutive times, your university Duo account will be locked.
  • New smartphone. If you have not activated the Duo Mobile app on a new smartphone, your Push notifications will not appear on your new phone, causing them to go unanswered. For many users this can be directly resolved by Reactivating the Duo Mobile App. 
• Never share your password with anyone! No matter who asks you for your password, do not provide it. Doing so violates university policy. NC State IT personnel will never ask you for your password, so if anyone contacts you and says they work for the university and need your password for any reason, report the incident via the NC State IT Service Portal or call 919.515.4357 (HELP). Note: On occasion, the parents or guardians of a student will ask for their credentials, which is against university policy. As an option, students have the ability to grant their parents or guardians access for payment and other information.
• Use passphrases as strong passwords and never use one password for more than one account!
• Create good security questions and answers. Security Q&As — sometimes referred to as User Identification and Authentication (UIA) questions — are required to verify your identity when you reset your password, request a one-time 2FA bypass code for Duo, or contact the NC State Help Desk via phone.
  • Answers are case sensitive and must be provided exactly as originally entered when using self-service.
  • You may want to use a password manager. You can use the university’s enterprise LastPass software to generate a random answer or to store secure notes and other information like security questions and answers. Generating random answers is the most secure approach; the longer the password the better. With a password manager, you won’t have to worry about remembering your answers. Note: If you purchase a LastPass Enterprise user license at NC State, you are entitled to a free, personal premium account. 

Recover account access
If Duo locks your account, request assistance via the NC State IT Service Portal or call 919.515.4357 (HELP).

For additional information about MFA bombing, see the following resources:

• A Sinister Way to Beat Multifactor Authentication Is on the Rise
• Lapsus$ and SolarWinds Hackers Both Use the Same Old Trick to Bypass MFA
• Lapsus$ and the Health Sector