Multi-factor authentication (MFA) helps protect accounts by adding an extra layer of protection, such as a passcode sent by text or email. It dramatically reduces the chances of an account getting hacked and forces attackers to find ways around that security. One such tactic is MFA fatigue, which is designed to annoy users into validating a rogue login attempt.
Microsoft saw around 6,000 MFA fatigue attempts per day by the end of June 2023. Additionally, 1% of users will approve a login request on the first try, even if it didn’t come from them. While that percentage sounds low, when you have a business with hundreds of employees, there’s a higher chance that one person will fall for this cyberattack.
Table of Contents
How MFA Fatigue Works
1: Target Selection
2: Stealing Login Details
3: MFA Request Flooding
4: User Fatigue
5: Gaining Access
6: Post-Breach Activity
Push Notifications Are Most Vulnerable to MFA Fatigue
MFA Fatigue Can Be More Than Just a Cyberattack
How To Protect Your Business From MFA Fatigue
Use Risk-Based Authentication
Give Users Login Context
Turn Off Push Notifications
Enable Device Trust
Increase Cybersecurity Awareness
What Is an MFA Fatigue Attack?
An MFA fatigue attack, sometimes called MFA bombing or MFA spamming, is a social engineering attack in which the attacker floods the target with verification requests to linked devices. The aim of this approach is to trick the victim into approving the login attempt. That can happen through annoyance at the number of requests or by accident because it keeps popping up on their device.
How MFA Fatigue Works
MFA fatigue attacks are meant to exploit human nature. Even if a business’s cybersecurity is strong, its weak point is the user, making them the target. These types of attacks involve quite a few steps, which we’ll outline below:
1: Target Selection
The attacker identifies a user that has an account with MFA enabled. Depending on what they’re after, the target could be anyone from an employee to the owner.
2: Stealing Login Details
For MFA fatigue to work, the threat actor first needs the login details to get enough access to trigger the authentication. Those may be stolen in different ways, such as phishing, credential stuffing, or social engineering.
3: MFA Request Flooding
Once the attacker has gained access to the account using stolen login details, they’ll flood the target with MFA requests. Rather than stop when or if their request is denied, they continue to spam them, hoping it eventually gets approved.
4: User Fatigue
If the user has noticed all the requests, some may rightly view it as suspicious and report the activity. However, others may either authorize the login out of annoyance or accidentally approve it due to repeated requests. Ignoring or rejecting the request blocks the attack.
5: Gaining Access
The cyberattack only continues from this point if the login is authenticated. From here, the perpetrator will do their intended actions. That can include stealing data, making fraudulent purchases, installing malware, or creating backdoors for future access.
6: Post-Breach Activity
After the attack is over, the damage doesn’t always end. Depending on what they stole, they may sell the data they took or even sneak back onto the account if they set up a backdoor. The longer their activity goes undetected, the more harm can be caused.
Push Notifications Are Most Vulnerable to MFA Fatigue
According to a report by Okta, 29% of MFA users use push notifications, the single largest adoption rate for any notification type. While there are many ways to set up authentication, push notifications are the most vulnerable to MFA fatigue. They create a pop-up on the user’s device, such as a phone, allowing users to approve a login attempt with a single tap.
Other approaches, such as one-time passwords (OTPs), can’t be abused in the same way because the attacker can’t view the code directly. That creates an extra step in the cyberattack, through phishing or social engineering, where the attacker must contact the victim to ask for the code. Even one extra step reduces the chance of success.
MFA Fatigue Can Be More Than Just a Cyberattack
While MFA fatigue aims to wear down users by spamming requests, the root of the problem isn’t always the cyberattack itself. IT companies have heavily pushed businesses to use authentication in recent years, as it’s a proven method for protecting accounts. However, as many users juggle multiple MFA requests daily to access all their accounts, some are simply tired of dealing with it.
Users already frustrated by too many daily notifications may be more vulnerable to an MFA fatigue attack. When users give less consideration to each authentication request, they’re more likely to accept it without extra thought. Combined with a lack of awareness of this threat, it’s a recipe for a breach.
How To Protect Your Business From MFA Fatigue
While there is no single best way to prevent MFA fatigue, businesses can use a mixture of approaches to reduce its chance. Coordinate with your IT security team to determine what works best for your users.
Use Risk-Based Authentication
Risk-based authentication assigns a risk score to each authentication request. It looks at a wide range of factors, such as location, IP address, device used, time of day, data sensitivity, and other security events. Anything out of the ordinary creates a higher risk score, triggering more authentication factors or denying the login attempt entirely.
Give Users Login Context
Giving users additional login context, like the app being used and the location of the attempt, can help users view if someone else is trying to access their account. If an MFA fatigue attempt happens during regular business hours, they may otherwise think it’s a bug and accept it if they’re spammed with requests.
Turn Off Push Notifications
While push notifications are convenient, allowing people to approve logins with a single tap or click, they’re also the most easily abused by MFA fatigue. Disabling them makes it much more difficult for attackers to access protected accounts. If they cannot contact the target and phish for the code, the attack won’t work.
Enable Device Trust
Some MFA solutions include device trust. This option lets businesses set specific devices as trusted, only allowing logins to be authorized from them. That means even if someone steals login credentials and falls for an MFA fatigue attack, the perpetrator cannot access the account.
Increase Cybersecurity Awareness
A challenge in preventing any cyberattack, including MFA fatigue, is cybersecurity awareness. People can’t defend themselves against threats that they don’t know exist. As part of MFA training, it’s critical to educate staff on only authenticating their own login attempts and to report any suspicious activity.
Authentication Is Still Essential To Protecting Accounts
More cyberattacks are being blocked than ever, even when login credentials are stolen. This keeps accounts safer and reduces the risk of data breaches due to poor password habits or employees falling for phishing attempts. In most cases, it’s also required for cyber insurance compliance due to its proven ability to prevent cyberattacks, reducing a business’s overall liability.
However, as MFA usage steadily increases, cybercriminals will develop more tactics to circumvent it. MFA fatigue is one such approach. While it’s a trending threat, businesses can counter it by assessing risks, turning off push notifications, using device trust, and increasing awareness.
Does your business need help defending against cybersecurity threats like MFA fatigue? Get in touch with ITonDemand for a consultation via our contact form or call us at: +1 (800) 297-8293
