MFA Safety: Why You Should Never Approve Unexpected Prompts (and Why App-Based MFA Is Safer Than SMS)

Multi-Factor Authentication (MFA) is one of the strongest protections available for your work accounts — but only when it’s used correctly.

Two of the most common causes of MFA-related security incidents are:

  1. Approving an MFA prompt you didn’t expect

  2. Relying on SMS text messages instead of app-based MFA

This post explains why both matter, what to watch for, and how to stay protected.

Why you should never approve an unexpected MFA prompt

When you receive an MFA prompt, it means:

  • Your password was already accepted

  • The system is asking for a second proof to complete the login

If you receive an MFA prompt you did not initiate, that is a red flag.

What an unexpected MFA prompt usually means

  • Someone else has your password

  • Your credentials were stolen via phishing or a fake login page

  • Your password was reused from another breached site

In other words:

Approving that prompt gives the attacker exactly what they need.

Common mistakes attackers rely on

Attackers often send repeated MFA prompts hoping that:

  • You’re distracted

  • You assume it’s a system glitch

  • You think “maybe I logged in earlier”

  • You approve it just to make it stop

This tactic is sometimes called MFA fatigue — and it works surprisingly often.

What to do if you get an unexpected MFA prompt

If you receive an MFA request you didn’t initiate:

  • Do not approve it

  • ❌ Do not ignore repeated prompts

  • ✅ Deny the request (if possible)

  • ✅ Report it to IT immediately

  • ✅ Change your password if instructed

Quick reporting can prevent a full account compromise.

Why SMS (text message) MFA is less secure

Not all MFA methods provide the same level of protection.

While SMS-based MFA is better than no MFA at all, it has known weaknesses.

Risks with SMS MFA

  • Text messages can be intercepted

  • Phone numbers can be hijacked (SIM swapping)

  • Messages can be delayed or fail to arrive

  • SMS does not verify the device receiving the message

Attackers increasingly target SMS-based MFA because it’s easier to bypass.

Why app-based MFA is preferred

App-based MFA (such as authenticator apps) generates codes directly on your device.

Benefits of app-based MFA

  • Codes are generated locally, not sent over a network

  • Resistant to SIM-swap attacks

  • Works even without cellular service

  • Stronger protection against phishing attempts

Because of these advantages, app-based MFA is widely recommended and, in many environments, required.

How this protects you and the organization

Using MFA correctly:

  • Stops attackers even if they steal a password

  • Prevents account takeover

  • Protects email, files, and cloud services

  • Reduces the risk of widespread incidents

Many security standards and best-practice frameworks — including HIPAA, CMMC/NIST, PCI-DSS, and general cybersecurity guidance — either require or strongly recommend MFA, particularly app-based methods.

Common questions

What if I accidentally approved a prompt?
Report it immediately. The faster IT is notified, the better the chance of preventing further damage.

What if my phone isn’t available?
Backup MFA options can usually be configured. Contact IT before you’re locked out.

Is MFA annoying on purpose?
Yes — slightly. That friction is what stops attackers.

Our recommendation

We strongly recommend:

  • Never approving an MFA prompt you did not initiate

  • Using app-based MFA instead of SMS whenever possible

  • Reporting unexpected prompts immediately

MFA is one of the most effective security controls available — but only when users treat prompts carefully and use the strongest available method.

If you ever have questions about an MFA request, it’s always better to ask than to approve.

Al Davis