What Is an MFA Fatigue Attack and How Can You Protect Against It

The rising incidence of credential-theft has forced companies to implement multi-factor authentication (MFA) to protect their employees from the serious effects of password theft. But hackers are now using MFA fatigue attacks to avoid this extra layer of security.

So what is MFA fatigue? How do these attacks work? And what can you do to protect yourself?

What is MFA Fatigue Attack?

An MFA fatigue attack involves continuously bombarding an account owner with MFA push notifications until they slip up or are psychologically worn out and accept the login request.

Once the MFA request is approved, hackers can access the user’s account and misuse it however they want.

The main goal of this type of attack is to send an endless barrage of MFA push notifications to create a sense of fatigue in the account owner.

In due course, this MFA fatigue causes the account owner to approve a sign-in request to accidentally or intentionally block MFA push notifications.

How an MFA Fatigue Attack Works

With more and more applications and services adopting multi-factor authentication, approving MFA push notifications can become a routine task when account owners need to approve MFA requests multiple times a day. Finally, accepting MFA push notifications on a daily basis can lead to account owners being inattentive.

Furthermore, the constant bombardment of MFA notifications can frustrate account owners, prompting them to approve the sign-in request, just to stop the annoying notifications.

As account holders often use authenticator apps on their smartphones, hackers can target them 24/7 to wear them down.

What happens in an MFA fatigue attack?

The first step in MFA fatigue attacks is to obtain the login credentials of the account user. There are several common tricks used to hack passwords, including phishing, spidering, and brute force attacks.

Once an attacker has a user’s login credentials, they bombard them with multi-factor authentication prompts.

MFA fatigue attacks can be easily automated. And often, social engineering is combined with an MFA fatigue attack to make the attack successful.

For example, the target user receives a phishing email requesting the user to approve an MFA request. A phishing email may also inform the target that they may receive a barrage of multiple MFA requests in the coming days because a new security system is being implemented. The email may further state that MFA requests will stop once the account owner approves the login attempt.

How to defend against the MFA fatigue attack

Here are some ways to stay safe from the attacks of MFA fatigue.

1. Enable additional context

Enabling additional context in MFA requests can provide better security and protect you against MFA fatigue attacks.

Additional context in the MFA request helps you understand which account triggered the MFA notification, the time of day the login attempt was made, the device used to attempt the login, and the location of the device where the login was attempted. Attempt was made.

If you see multiple MFA requests triggered from an unrecognized location or device while you are not trying to log in to an account, this is a sign that a threat actor is attempting to spam you. You should immediately change the password for that account and notify your IT department if it is connected to a company network.

Many MFA apps have this feature enabled by default. If your authenticator app doesn’t show additional context, dive into your app’s settings to check if it has an option to allow additional context.

2. Adopt risk-based authentication

Using an authenticator app with risk-based authentication capability can help protect against MFA fatigue attacks. Such an app can detect and analyze threat signals based on known attack patterns and adjust security requirements accordingly.

Known threat patterns include, but are not limited to, unusual locations of login attempts, repeated login failures, MFA push harassment, and more.

Check if your MFA app provides risk-based authentication. If it does, enable it to be safe from MFA push spamming.

3. Implement FIDO2 Authentication

MFA fatigue attacks can be prevented by adopting the FIDO2 form of authentication in any company.

FIDO2 provides users with passwordless authentication and multi-factor authentication based on biometrics. Since your login credentials don’t leave your device, it eliminates the risk of credential theft, so threat actors can’t spam the MFA notification.

4. Disable push notification as a verification method

The MFA push notification feature has been designed for ease of use. Account owners only need to click “Yes” or “Allow” to log in to their accounts.

MFA fatigue attacks take advantage of this feature of validator apps.

Leave a Comment