MFA Bombing

An MFA Bombing attack (aka MFA Fatigue attack) is when a cyber-attacker sends a barrage of Duo Push notifications to your phone, hoping to wear you down until you approve one of their requests.

How? 

Multi-Factor Authentication (MFA) with the Duo Mobile app helps protect you and UF from cyber-attacks by ensuring only you can access your account. 

Recently, bad actors have been using a new tactic to bypass this security, in a practice that we call MFA Bombing. In these attacks, once an attacker has compromised your GatorLink password, they will begin spamming your phone with nonstop Duo Push and/or phone call requests, hoping you will cave in and approve a request – thus granting them access to your GatorLink account.

What do I do if this happens to me? 

Firstly, do not approve any of their requests! All it takes is one accidental approval to get locked out of your account, lose access to your emails and documents, and put your private information at risk. Deny any unwarranted Duo Pushes you receive and mark them as fraudulent if your Duo Mobile app asks you to do so.

Because the attacker is using your GatorLink password to send these requests, the best way to stop the barrage of Duo attempts is to reset your GatorLink password. To do this, go to the GatorLink Account Management portal, select “Forgot/Reset Your Password,” and follow the prompts after selecting “Self-Service Reset.” The portal will ask for your UFID, GatorLink username, birthday, and a one-time verification code sent to the phone number associated with your account. 

It is important to use “Forgot/Reset Your Password” and NOT “Change Your Password” because the latter option will require you to sign in with your GatorLink username, password, and Duo Authenticator – and you may accidentally approve the attacker’s Duo Push instead of your own! 

After that, set a strong password to protect your account from future attacks. Once your password is reset, the Duo requests should soon stop. Note that it may take a few moments for the attacker to get kicked out of the Duo login page, so feel free to silence your phone until that happens. Eventually, the attack will cease, and the barrage of Duo requests will follow.