Passwords were designed to be a safe lock to our digital systems — until threat actors managed to bypass them using techniques like brute force attacks, keylogging, password spraying, and more to gain unauthorized access to user accounts.
Then came multifactor authentication (MFA), an authentication mechanism developed to provide an extra security barrier.
MFA typically requires users to provide at least two different authentication factors like password, security key, fingerprint, or facial recognition to verify a user’s identity. The idea is to make it more difficult or slow down hackers who use social engineering techniques, such as phishing, pretexting, and other tactics to steal data and identities.
However, as organizations enhance their defenses by implementing MFA, attackers adapt their tactics and diligently seek ways to circumvent it. One of those ways is what we now call “MFA fatigue attacks”.
What is an MFA Fatigue Attack, and How Does it Work?
MFA fatigue attacks, also dubbed authentication bombing, prompt spamming, and push spam, exploit the human factors in cybersecurity. Just like the name implies, this attack method aims to wear down the target into a state of fatigue or frustration.
MFA fatigue attacks start with attackers repeatedly sending two-factor authentication requests to a target’s email, phone, or registered devices. The attacker can be an insider who knows about the target’s credentials but can’t securely log in due to the MFA barrier.
Away from the insider threat, an attacker might use phishing emails to trick users into revealing their login credentials. Once they have these credentials, the attackers log in and flood the target user with push notifications for two-factor authentication.
The aim is to overwhelm the victim, creating “MFA fatigue,” and trick them into approving the authentication requests out of frustration, thereby granting access to the attacker.
Recent instances of MFA fatigue attacks have shown increased exploitation of the push-notification style authentication commonly used in modern MFA platforms.
Not long ago, a large-scale breach at Uber [PDF], orchestrated by the infamous Lapsus$ hacking group, highlights how the group leveraged this strategy.
Uber reported that the attacker acquired an external contractor’s VPN credentials, persistently attempting to log in to prompt a flood of two-factor authentication requests.
Despite the initial resistance, the attacker craftily posed as tech support, convincing the contractor to accept the MFA prompt and granting unauthorized access.
In the above instance, all the attacker needed to do was abuse the user’s authentication process and lie that the barrage of authentication prompts would stop if the user confirmed the authentication.
Why are MFA fatigue Attacks Growing?
Several factors contribute to the growing prevalence of MFA fatigue attacks. Firstly, the sheer number of online accounts and services that users manage on a daily basis has skyrocketed. Organizations now deploy MFA for additional protection from email and social media to banking and work-related applications.
Besides the above reason, MFA fatigue attacks are also rising due to their effectiveness. The tactic capitalizes on people’s tendencies to click on multiple notifications, either accidentally or intentionally, often assuming there’s a glitch. This is often more complicated than we think, as the requests come from what appears to be a trusted system. A study by Microsoft shows that about 1% of users will accept a simple approval request on the first request.
Again, unlike conventional phishing attempts, where users exercise caution with unknown sources, the unsuspecting nature of MFA verification links makes individuals less vigilant.
Another reason is the ease with which the MFA system can be tricked. A key vulnerability exploited in MFA fatigue attacks is the lack of gatekeeping regarding the login location and the user clicking the notification link.
Many MFA systems mandate users to click the link on a device separate from the one used for the login. For instance, if you’ve applied MFA to your Outlook, you’ll receive an MFA prompt on your phone when logging into your email on a work computer. The issue here is that the system doesn’t always check if the person trying to log in is actually in the right location. So, even if someone is logging in from a completely different computer or location, the system might not notice or care.
Another contributing factor to the prevalence of these attacks is the relative ease with which they can be automated. Automation allows attackers to send a barrage of push notifications rapidly, increasing the chances of finding a target willing to click the link and grant unauthorized access. The efficiency of automation streamlines the attack process, enabling hackers to exploit MFA fatigue across a broader range of targets.
How Can Organizations Boost Their Defences Against MFA Fatigue Attacks?
Defending against MFA fatigue attacks involves implementing simple cybersecurity measures to thwart potential threats.
Here are some best practices you can follow.
5. Adjust MFA parameters
Adjusting MFA parameters involves fine-tuning settings to bolster security. You can shorten the time window for accepting MFA requests, add geo-location or biometrics, reduce the number of allowed authentication attempts, or limit the types of devices that can be associated with an account.
For example, if an MFA system typically allows a 10-minute window for users to click a verification link, tightening the parameters to only accept clicks within a 5-3 minute timeframe narrows the window of vulnerability and, by extension, decreases the likelihood of successful MFA fatigue attacks.
4. Tighten password management and authentication measures beyond MFA
This approach involves implementing strong password policies and combining MFA with additional authentication factors. In a corporate IT environment, a zero-trust approach can effectively eliminate trust-based authentication.
For web-based entry, using Fast Identity Online 2 (FIDO2) authentication eliminates reliance on passwords, substituting them with possession-based credentials stored on a personal device.
Verification can be done through biometrics, PINs, or multi-device steps. Credentials are unique per website, stored locally, and cryptographically secured.
This multifaceted approach enhances overall security by requiring you to meet stringent password criteria and supplementing it with biometrics, hardware tokens, or other advanced authentication methods.
3. Invest in user education
Educating users is a fundamental defense aspect, especially against social engineering attacks. You have to provide comprehensive training for users, third-party contractors, and those who work with your resources to recognize MFA fatigue attempts and the risks they pose and emphasize secure authentication practices. An informed user base is likelier to exercise caution and report suspicious activities.
You can start by conducting regular workshops or online training sessions to educate employees on the tactics used in MFA fatigue attacks, emphasizing the importance of verifying the legitimacy of any authentication requests.
2. Start enforcing the least privilege
Enforcing the principle of least privilege involves granting users the minimum access necessary to perform their job functions. This reduces the potential impact of compromised accounts, as attackers would have limited permissions.
Least privilege access effectively restricts a malicious actor’s movements from the point of entry. You can start by assigning specific roles and permissions based on job responsibilities, ensuring that employees can access only the resources required for their tasks and nothing more.
1. Invest in systems hardening
Systems hardening involves utilizing tools, techniques, and best practices to mitigate vulnerabilities or attack surfaces in technology applications, systems, infrastructure, firmware, and other relevant areas.
This may involve disabling unnecessary services, removing unnecessary software, and configuring systems to minimize potential entry points for attackers.
For attacks like an MFA bombing, systems hardening protocols can help eliminate stagnant credentials from falling into the wrong hands. For example, disabling unused services and ports on servers, ensuring that only essential processes are running, and configuring firewalls to allow only necessary network traffic can contribute to the overall hardening of your systems.
MFA fatigue attacks can pose a serious concern for your organization, as it did for Uber in 2022. As such, organizations need to commit to measures that can help their users detect this form of attack.
It is also crucial for system developers and administrators to implement enhanced MFA protocols, such as validating the proximity of the device attempting to log in.
Additionally, make sure you are keeping an eye out for risks affecting your organization’s accounts, such as sign-ins from unfamiliar locations, atypical travel, successful authentication from a new country, and so forth.
Above all, remember to never approve an MFA prompt you didn’t initiate.
- Review Of The Attacks Associated With Lapsus$ And Related Threat Groups (CISA)
- Security update (Uber)
- Defend your users from MFA fatigue attacks (Microsoft Community Hub)