However, attackers are now finding ways around MFA.

SMS-based MFA, where users receive a MFA code via text message, has been proven to be insecure and many service providers have replaced it with alternatives. One of the most popular alternatives is 'push notifications' which are displayed to the user via an authenticator app.

However, recently there has been an increase in attacks that rely on a method known as MFA fatigue.

Attackers have now discovered that spamming an employee with MFA authorisation requests until they become so annoyed that they approve the request can be a very effective way of bypassing the additional layer of security that MFA is there to provide.

This method was used in the recent cyber attacks against Cisco and Uber. In the Uber attack, the criminals increased their chances of success by combining it with social engineering. They contacted the employee on WhatsApp, claiming to be a member of the IT team and instructing them to approve the login to get the MFA notifications to stop.

Employee training is always important for mitigating the risk of any cyber attack including MFA fatigue attacks. Employees need to be aware of such attacks and should be instructed to notify the organisation’s IT or security team if they receive many push notifications. They should also be aware that messages or phone calls allegedly coming from their IT department could actually originate from the attacker. One of these issues - a flaw in Apple's web browser technology, is being actively exploited by attackers.