MFA Prompts: Only Approve the Ones You Started
Multi-factor authentication, often called MFA or two-step verification, is one of the best protections for business accounts. It helps stop someone from signing in with only a stolen password.
But MFA still needs one careful habit from the person holding the phone: only approve a sign-in prompt when you are the one signing in.
If your phone asks you to approve a Microsoft 365, Google, banking, payroll, remote-access, or other business login and you did not just try to sign in, treat it as a warning. It may mean someone already knows your password and is trying to get you to let them in.
Why unexpected MFA prompts matter
Attackers sometimes try a simple trick: they enter a stolen password again and again, hoping the real user gets tired of the phone prompts and taps approve just to make them stop. This is often called MFA fatigue or push bombing.
The prompt may look normal because it comes from a real app. That is what makes it dangerous. The problem is not the app. The problem is that the sign-in request was not started by you.
For small business users, this can affect email, cloud files, accounting systems, remote access, CRM, banking, supplier portals, and other daily tools. One accidental approval can give an attacker access to a mailbox or system that the business depends on.
The safe habit
Before approving any MFA request, pause and ask one question:
Did I just try to sign in to this account?
If the answer is no, deny the request and report it.
Do:
- Approve MFA prompts only when you are actively signing in.
- Check the app, account name, location, and number-matching code if your authenticator shows one.
- Use number matching when available, because it makes accidental approval harder.
- Report repeated or unexpected prompts to IT, your manager, or your security contact.
- Change your password quickly if you receive unexpected prompts, especially if they keep coming.
- Keep your authenticator app and phone operating system updated.
Do not:
- Tap approve just to clear the notification.
- Approve a prompt because someone calls, messages, or emails saying they are from IT and need you to accept it.
- Share one-time codes, authenticator numbers, backup codes, or recovery codes in chat, email, or over the phone.
- Assume an MFA prompt is safe only because it came from a familiar app.
- Ignore repeated denied prompts. They may be a sign that your password is already known.
What number matching changes
Some sign-ins now show a number on the login screen and ask you to enter or match that number in the authenticator app. That extra step is there for a reason. It helps confirm that the person approving the prompt is looking at the real sign-in screen, not just reacting to a random notification.
If you did not start the login, you will not have a number to match. Do not guess. Deny the request.
If you are unsure
Stop and ask for help before approving. A short delay is much safer than letting someone into a business account.
If you already approved a prompt you did not start, report it immediately. Change the affected password from a trusted device, tell IT what happened, and do not delete related emails or notifications until the account has been checked. Quick reporting can make the difference between a blocked attempt and a wider incident.
MFA is still worth using. The practical rule is simple: approve only the sign-ins you started, deny anything unexpected, and report repeated prompts right away.
Sources: CISA — Multifactor Authentication; CISA — Guidance on phishing-resistant and number-matching MFA; Microsoft Learn — How number matching works in MFA push notifications.
