Multifactor authentication (MFA) is an essential security measure.
Without a MFA authentication process, your organization will be significantly more vulnerable to attackers looking to gain access to critical systems and steal sensitive data.
However, attackers can still find ways around MFA...
And although not particularly sophisticated, MFA fatigue attacks are one of the most common ways they do this.
A study from Microsoft found over 382,000 MFA fatigue attacks recorded during the 12 month period they tracked... and that 1% of users would ‘blindly’ accept the first MFA push notification they receive on their mobile.
In the guide below we'll break down exactly what you need to know about MFA fatigue, how to spot them as well as the latest security practices for protecting your organization.
What is MFA fatigue?
📚 Quick definition: Multi-factor authentication fatigue attacks (also known as MFA Bombing or MFA Spamming) are a cyber threat where attackers repeatedly attempt to authenticate your account, typically by using the secondary authentication method such as a push notification.
The purpose behind this barrage of notifications is to exhaust you into approving an authentication request which will granting the attacker access.
Although MFA provides an additional layer of security, you'll want to make sure you have a basic understanding the mechanics of MFA fatigue attacks to develop effective preventive measures.
A study from Microsoft found over 382,000 attacks recorded during the 12 month period they tracked...
And that 1% of users would ‘blindly’ accept the first MFA push notification they receive on their mobile.
Techniques used in MFA fatigue attacks
Social engineering tactics: Attackers leverage social engineering tactics to manipulate users into approving fraudulent authentication requests. Techniques include things like phishing emails, phone calls posing as legitimate organizations, or impersonating trusted contacts to deceive users into approving MFA prompts.
Contextual authentication manipulation: This involves exploiting contextual information, such as device location or user behavior, to bypass MFA requirements. Attackers might use techniques like GPS spoofing or IP address manipulation to deceive authentication systems into granting access without triggering MFA prompts.
Push spam attacks: This attack method inundates users with a barrage of push notifications, overwhelming them and increasing the likelihood of inadvertent approval.
Real-life examples of MFA attacks
Uber (2022)
In 2022, Uber fell victim to a breach when a contractor's personal device was infected with malware.
The hacker purchases the leaked credentials on the dark web and used them to log in to the contractor’s Uber account, which triggered MFA requests.
Repeated MFA requests lead to ‘MFA fatigue’ and a request was eventually accepted.
The hacker gained access to the account and escalated the attack.
In this case (luckily for Uber) the hacker wasn’t intent on stealing customer data and instead was just looking for a thrill/kudos.
MGM and Ceasar's (2023)
MGM and Caesar’s casinos were also victims of an MFA attacks through social engineering.
In the MGM case, a phone call was used to trick a help desk employee into resetting the company’s MFA methods, leading to a ransomware attack.
MGM opted not to pay the ransom, but Caesar’s negotiated a $15 million payout to threat actors.
Cisco (2022)
In the case of Cisco, threat actors targeted the personal Google account of one of their employees.
Hackers were able to access their credentials via Chrome, which had been configured to sync passwords.
They then send a a wave of push requests to the target’s mobile device as well as multiple fake phone calls where the caller claimed to be with a support provider.
How to spot MFA fatigue attacks 🚨
Here are some of the key indicators of an attack:
Frequent authentication requests
An unusual surge in authentication requests, especially outside of regular login attempts, could signal an ongoing attack.
Requests without prior login attempts
Receiving authentication prompts without having initiated a login process should raise immediate red flags.
Patterns in request timing
Attackers may execute these attacks during off-hours or when they presume you/your employees are less likely to scrutinize the requests carefully.
Unrecognized geographical locations
Alerts originating from unfamiliar locations suggest unauthorized attempts to gain access.
Repeated push notifications
A continuous stream of push notifications for authentication can be an attempt to exploit user fatigue.
Overview: How to prevent MFA fatigue attacks in your organization
Implement adaptive authentication
Adaptive authentication adjusts security measures based on user behavior and context, reducing unnecessary authentication prompts.
By analyzing factors such as location, device, and user behavior patterns, adaptive authentication can dynamically adjust authentication requirements, enhancing security without causing inconvenience to users.
Educate employees about multi-factor authentication
Investing in training will ensure your employees are in-the-know about the importance of MFA and how to use it effectively.
Employees should come away with an understanding of the rationale behind MFA and the role it plays in protecting sensitive data and systems from unauthorized access.
Utilizing risk-based authentication mechanisms
Risk-based authentication assesses the risk level associated with each authentication attempt and adjusts the authentication requirements accordingly.
Focusing on higher-risk activities, you'll be able to prioritize security measures where they are most needed, reducing the risk of MFA fatigue.
Prioritise strong password hygiene:
Weak passwords will increase your reliance on MFA, which will in turn lead to fatigue over time.
Enforcing strong password policies, including regular password updates and complexity requirements, can reduce the need for frequent MFA prompts.
We'd recommend looking into a password managers can to generate and manage complex passwords securely.
Keep on top of unusual user behavior
Continuous monitoring of user activity can help detect anomalies and potential signs of MFA fatigue.
Analyze login patterns and user behavior and identify any excessive authentication attempts or unusual access patterns to prevent potential security breaches.
MFA fatigue attack prevention deep dive
Social engineering
📚 Quick definition: This style of attack involves bad actors exploiting psychological manipulation techniques to exhaust p into approving fraudulent authentication requests in MFA systems.
Techniques attackers use
- Phishing emails: Threat actors will send deceptive emails posing as legitimate entities, asking you to verify your credentials by clicking on malicious links or downloading attachments.
- Fake login pages: Attackers might create counterfeit login pages that closely resemble legitimate websites, tricking you into entering your credentials. These pages are often distributed through phishing emails or malicious websites.
- Urgency and fear tactics: Bad actors will leverage psychological triggers like urgency or fear to coerce users into quickly responding to authentication requests.
How can you prevent it?
- Security awareness training: Educate employees about the dangers of social engineering attacks and how to recognize things like phishing emails and fake websites.
- More robust multi-factor authentication systems: Implement MFA solutions that offer additional layers of security beyond passwords, such as biometric authentication or hardware tokens.
- Two-way authentication: Require employees to verify authentication requests through multiple channels, such as a combination of email, SMS, or phone calls, to confirm their identity.
- Secure communication channels: Encourage employees to only provide sensitive information or authenticate through secure communication channels, such as encrypted websites or official mobile apps.
- Verification of requests: Advise employees to independently verify the legitimacy of authentication requests by directly contacting the organization's official support channels or accessing their accounts through trusted methods.
Push spam attacks
📚 Quick definition: Push spam attacks involve cybercriminals bombarding users with a high volume of fraudulent push notification requests, overwhelming them and increasing the likelihood of inadvertently approving malicious requests.
Techniques attackers use
- Floods of requests: Attackers may flood your devices with a stream of push notification requests, making it difficult to distinguish legitimate requests from fraudulent ones.
- Urgent or threatening messages: Cybercriminals might send urgent or threatening messages, coercing you into approving authentication requests out of fear or concern.
- Fake alerts or promotions: Attackers will disguise push notifications as alerts or promotions from reputable organizations or services.
How can you prevent it?
- Employee education: Educate users about the risks of MFA fatigue push spam attacks and be wary when push notifications, especially if they seem unusual or unexpected.
- Rate limiting: Limit the frequency of push notification requests sent to employees within a specified time frame to prevent overwhelming users with excessive requests.
- Contextual information: Include contextual information in push notifications, such as the user's recent activity or location, to help users assess the legitimacy of authentication requests more accurately.
Credential stuffing
📚 Quick definition: Credential stuffing is when attackers exploit reused or compromised credentials to gain access to an account.
Techniques attackers use
- Credential database compromises: Attackers will obtain databases of compromised credentials from previous data breaches or leaks. They then use automated tools to systematically test these credentials against various online accounts, including those protected by MFA.
- Brute force attacks: Cybercriminals will use automated scripts or tools to systematically guess passwords for user accounts. By employing a large volume of login attempts, attackers attempt to bypass MFA protections and gain access to accounts through trial and error.
- Credential phishing: Attackers use phishing emails or fraudulent websites to trick users into disclosing their login credentials, which can be used in credential stuffing attacks to gain access to user accounts, even if they're protected by MFA.
How can you prevent it?
- Strong password policies: Enforce strong password policies that require employees to create complex and unique passwords for their accounts to minimize the impact of credential stuffing attacks.
- Account lockout mechanisms: Implement account lockout mechanisms that temporarily lock user accounts after a certain number of failed login attempts. This helps prevent brute force attacks by limiting the number of login attempts an attacker can make.
- Monitoring and detection: Use monitoring and detection mechanisms to identify unusual login activity and user behavior for signs of suspicious activity.
Man-in-the-middle (MitM) attacks
📚 Quick definition: MitM attacks are when attackers intercept and manipulate communications between users and authentication systems to bypass MFA protections.
Techniques attackers use
- DNS spoofing: Attackers can modify DNS (Domain Name System) responses to redirect you to fraudulent websites or servers controlled by the attacker. By intercepting traffic between the user and the legitimate authentication system, attackers can capture authentication credentials and bypass MFA protections.
- SSL stripping: Attackers will use SSL (Secure Sockets Layer) stripping techniques to downgrade encrypted HTTPS connections to unencrypted HTTP connections. This allows them to intercept and modify traffic between the user and the authentication system, bypassing MFA protections.
- Rogue wi-Fi networks: Attackers may set up Wi-Fi networks with similar names to legitimate networks to lure you into connecting. Once connected, they'll intercept and manipulate traffic to capturing authentication credentials and bypass MFA.
How can you prevent it?
- HTTPS: Enforce the use of HTTPS for all communication between employees and authentication systems to prevent SSL stripping attacks. Ensure that SSL/TLS certificates are properly configured and regularly updated to maintain secure connections.
- Network segmentation: Implement network segmentation to isolate critical authentication systems from untrusted networks and devices. Restrict access to authentication systems to authorized users and devices only, and monitor network traffic for signs of unauthorized access or suspicious activity.
- VPNs and secure channels: Encourage employees to use VPNs or other secure channels when accessing authentication systems from remote or untrusted networks.
If you want to go the extra mile: use these security measures to enhance MFA
Hardware security keys: Hardware security keys offer a physical token for authentication, reducing the risk of phishing attacks and MFA fatigue.
Biometric authentication: Biometric authentication methods, such as facial recognition, use unique biological traits for identity verification.
Privileged access management (PAM): PAM solutions control access to your systems and data - so you can choose who gets access to what.
Change security behaviors at scale with Hoxhunt 🚀
Here at Hoxhunt, we believe that your typical security awareness training falls short when it comes to actually changing behavior.
That's why here at Hoxhunt, our advanced AI engine personalizes and delivers frequent simulations at scale to transform your “biggest risks” into an extra layer of human threat detection from real attacks.
Hoxhunt gives security teams a complete picture of risk and behavior change outcomes:
- 20x lower failure rates
- 90%+ engagement rates
- 75%+ detect rates
MFA Fatigue FAQ
What is a MFA fatigue attack?
An MFA fatigue attack is a cyber threat where attackers repeatedly attempt to authenticate user accounts, typically by exploiting vulnerabilities in multi-factor authentication (MFA) systems. The goal of these attacks is to exhaust users into approving fraudulent authentication requests.
How do MFA fatigue attacks work?
MFA fatigue threats often involve social engineering attacks or technical exploits to manipulate users into approving fraudulent authentication requests. Attackers may use various techniques such as push spam, contextual authentication manipulation, or credential stuffing to bypass MFA protections and gain unauthorized access to user accounts.
What is the best course of action to defend against MFA fatigue?
Organizations can prevent MFA fatigue attacks by implementing adaptive authentication mechanisms, educating users about MFA best practices, and utilizing risk-based authentication mechanisms. Enforcing strong password hygiene, monitoring user behavior, and implementing security awareness training programs can also help mitigate the risk of MFA fatigue attacks.
What are the potential consequences of MFA fatigue attacks?
The potential consequences of MFA fatigue attacks include unauthorized access to sensitive data, financial loss, reputation damage, and regulatory penalties.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt