The recent increase in cybercrimes has pushed organisations worldwide to further tighten their security measures in various ways, starting with implementing industry-wide best practices like multi-factor authentication to protect their employees against phishing attempts, credential theft, brute-force password attacks, and much more. However, it did not take long for hacking groups to figure out a workaround for this added layer of security via a new tactic called MFA fatigue, which involves spamming target victims with endless authentication prompts until they relent and give access out of frustration and annoyance or by accident. Below, we go over MFA fatigue, the anatomy of the attack, and ways to protect against it.

MFA fatigue defined

MFA fatigue, MFA bombing, MFA push spam, or prompt bombing all mean the same thing: a strategy attackers use to defeat multi-factor authentication when attempting to gain access to user accounts. Unlike other approaches that circumvent MFA via social engineering techniques, man-in-the-middle attacks, or hijacking active user sessions, MFA fatigue uses a more direct and brute-force approach.

After hackers manage to get the victim's user credentials, they repeatedly attempt to log in, which causes the account owner to receive a continuous bombardment of authentication prompts asking to verify their identity. The non-stop barrage proceeds until the owner slips up, relents after being mentally worn down from the prompts, or the hacker moves on.

Despite its bluntness, MFA fatigue can be rather effective at bypassing the additional security layer in modern user accounts. With MFA now being used everywhere, confirming its prompts has become so routine for many people that they tend to no longer check them closely. The constant need to verify one's identity repeatedly for both personal and work accounts can cause users to be inattentive or drained over time, which is what MFA fatigue aims to exploit.

Even when users can identify that the prompts are due to fraudulent login attempts, the endless authentication notifications can wear them down until they grant access just to stop the prompts. The pressure is more intense on mobile devices as they can be rendered unusable until the push notifications are stopped.

In the end, a successful MFA fatigue attack is not always guaranteed since attackers must rely on their victims to give in or make a mistake, and they have no way of forcing them to confirm the login. But, as a simple strategy, MFA fatigue attacks can be automated and scaled up easily, so attackers can run as many campaigns as they want simultaneously.

Ways to combat MFA fatigue

1. Educate employees

Knowledge of this type of attack is one of the most effective ways for employees to know what to look out for and the proper course of action to take. Although most people can immediately recognise something needs to be fixed when they continuously receive MFA push notifications, they may not know how to deal with the problem. Thus, on top of regular cybersecurity training, it is important to let them know who they can turn to for guidance should they need assistance dealing with MFA fatigue and other attacks.

2. Use IAM to reduce the organisation's attack surface

Reducing the number of accounts administrators have to protect and manage is among the best ways to reduce the risk of fraudulent logins. Organisations typically lack procedures for removing unused or unnecessary accounts, which leads to a build-up of accounts from previous users that have left the organisation or switched to other departments yet still have MFA apps, tokens, and devices that have not been disabled.

Since account maintenance can be an error-prone and cumbersome process, adopting an identity and access management solution can help automate such adjustments, making permissions and user management easier and faster and facilitating the implementation of best practices like least privilege access and zero trust.

3. Establish resilient authentication

MFA fatigue targets the key weaknesses in how organisations implement their 2FA or MFA security protocols. For instance, MFA fatigue becomes less effective if it has an increased time limit between prompts or a set number of attempts for users to verify themselves before being locked out. It is essential to be careful when adopting such strategies, as they can also be used against the company through denial service attacks that stop all logins. In short, the same methods used to guard against password guessing through rapid spam also apply to MFA fatigue.

4. Ease login fatigue

The more MFA confirmation requests that employees have to answer every day, the more likely will a fraudulent prompt go unnoticed. Thus, reducing the overall number of logins and switching to solutions like passwordless authentication and single sign-on can help ensure they remain attentive.

Conclusion

MFA fatigue is only the latest in the ever-dynamic threat landscape that continues to keep organisations on their toes regarding their cybersecurity. Although this technique is not as sophisticated as other attacks, it can still do considerable damage should it go unnoticed or a negligent user makes the mistake of confirming a fraudulent login. As such, companies need to implement the best ways to combat MFA fatigue that works best for their processes.

GROUP8 can help maintain your business's security posture and ensure it always remains robust and resilient against known and unprecedented threats. Our industry-leading offensive-inspired cybersecurity services consist of many solutions, such as endpoint security, network security, incident response, and vulnerability assessment and penetration testing services in Singapore that cover the entire cybersecurity ecosystem. Contact us at hello@group8.co to learn more.