Email passcodes and links can be intercepted if traditional MFA factors are in play or if someone has access to the user’s email address, which may only be protected by a username and password (potentially leaked in a previous breach). Plus, if someone is contacting the helpdesk because they’ve lost their phone or are locked out of their accounts, there’s a good chance that they literally cannot receive texts or emails.
Push notifications sent to an authenticator app: This method is vulnerable to push fatigue attacks, a vector that emerged around 2022. It involves bombarding the user’s phone with MFA push requests until the user becomes so “fatigued” that they either knowingly or accidentally click “approve” and let the threat actor in. Alternatively, the fraudster may call the user after repeated MFA prompts, pretending to be an IT employee, to convince them to accept the prompt. In 2022, Microsoft reported more than 382,000 MFA fatigue attacks.
But what happens when a user can’t access their authenticator app? One of the most frustrating aspects of upgrading to a new phone is the risk of being locked out of all accounts linked to that device. Without access to the authenticator app, the only way to regain account access is by calling the helpdesk, which then has to manually verify the user’s identity. This process leaves helpdesk agents vulnerable to manipulation. The inherent risk is that even if you’ve never been locked out, bad actors can exploit the account recovery process to impersonate you, tricking agents into resetting your accounts and gaining unauthorized access to your sensitive information.