Skip Navigation

May 28, 2024 |

What is an MFA fatigue attack?

Loading table of contents...

Passwords were designed to be an easy way to keep your online accounts safe from compromise. That was, however, until threat actors created strategic ways to compromise credentials (through brute force attacks, password spraying, and more) and gain unauthorized access to accounts anyway.

This simple measure was no longer enough to protect individuals' and businesses' information online, which ultimately led to the widespread adoption of multi-factor authentication (MFA).

While implementing MFA is still considered a cybersecurity best practice, threat actors are now using MFA in malicious ways in what the industry calls "MFA fatigue attacks".

Before we explore how cybercriminals use MFA to their advantage, let’s discuss what multi-factor authentication is and how it’s supposed to be used.

What is MFA?

Multi-factor authentication is a security feature requiring two methods of verifying a user's identity before they can access an account. Users who log into their accounts don't get immediate access, as they would with traditional password-based authentication. Instead, they receive a message, usually by text or email, that includes a link they need to click to access their account.

Are you prepared for tomorrow’s threats?

Dive into the past, present, and future of cybersecurity with The State of Cybersecurity eBook.

Download now

Other times, the person will receive an email or text containing a short code the user must enter on the login screen to get access or a pre-determined security question they need to provide a correct answer for. That said, the click-the-link model is the most widely used.

MFA was a huge step up from requiring a username and password to log in. Without MFA, a hacker with login details can essentially walk right into the system.

What is an MFA fatigue attack?

An MFA fatigue attack—also sometimes called prompt spamming, push spam, and authentication bombing—is not a particularly high-tech hacking approach. These are social engineering, a relatively easy and cheap hacking tactic used to exploit the system’s biggest weakness—humans.

In an MFA fatigue attack, the hacker first obtains the target's username and password. From there, they continuously send MFA notifications to the account holder until that person approves the login attempt, unknowingly giving the attacker access to their account.

The typical goal of an MFA fatigue attack is to overwhelm or confuse the targeted individual so that they click on the link in the notice. Once they do that, the hacker can access the account or system.

If the hacker doesn't get a response, they may take it a step further by contacting the user directly. For example, in September 2022, Uber suffered an attack after user credentials leaked on the dark web. The attacker gained access to one account and, after spamming one male employee with MFA prompts for over an hour, reached out to that employee posing as Uber IT personnel.

The attacker explained that the prompts would stop if he approved, which he did.

Why are MFA fatigue attacks so common?

One study found that about one-third of companies have been targets of MFA fatigue attacks.

MFA fatigue attacks are increasingly common because they work. When people receive multiple notifications, they may accidentally click the link or do so intentionally because they think there's a glitch. Besides, the request is coming from a trusted system. Most people know not to click links from sources they don't know or recognize, but not many expect an MFA verification link to be malicious.

These notifications also leverage one major vulnerability of MFA systems: no gatekeeping of where the login occurs and who clicks the notification link. Many MFA systems are specifically designed to require the user to click the link on a device other than the one they use to log into the account.

For example, when you log into your email account on your work computer, the MFA prompt goes to your phone. This process opens the door for an MFA fatigue attack because the hacker wouldn't be on the user's device, and the system is okay with that.

A final reason that these attacks are common is that they're relatively easy to automate. When the attacker doesn't have to send these push notifications manually, they can bombard more targets faster, making it easier to find one who's willing to click that link and let them in. 

How to defend against an MFA fatigue attack

Luckily, defending against an MFA fatigue attack is relatively straightforward. There are many ways to increase your cybersecurity to help stop employees from accidentally granting access to a hacker.

Educate users

As always, it starts with awareness.

Whether you must protect employees, customers, or both, education is a critical component of avoiding an MFA fatigue attack. You need to provide your team with information that explains what an MFA fatigue attack is, how it happens, and how to avoid falling victim to one.

Arm your team with the intel they need.

The cyberattacks your team should know about plus best practices to defend effectively, all in one The Employee Handbook.

Get a copy now

Ensure users know they should never receive multiple notifications. If they do, also ensure that employees know exactly who to contact and how. Make it clear they should never click on a link when they have not tried to access the system themselves.

Limit authentication messages

MFA fatigue attacks work because they wear down the user with notification after notification. If your system allows someone to attempt to log in continuously and send multiple verification notifications without a limit, then it's incredibly vulnerable to this type of hack.

You may want to change your system to allow only a few login attempts or notification messages. Once you place a limit, hackers can’t hound your teams with notifications.

Often, setting limits requires locking an account after a certain number of attempts. For example, you may configure your system so a user can only attempt to log in three times before their account locks. Then, the system will either require a specific action, such as contacting tech support, or enforcing a waiting period before the user can attempt to log in again.

While both can be effective, requiring a specific action by the user to unlock the account is the better approach because it ensures the legitimate user is the only one who can unlock the account.

Provide the user with more information

Most MFA systems send a generic message about clicking a link to log into the account. While this worked initially, the basic design is what allows MFA fatigue attacks to work so well. You can help prevent them by providing your system's users with more information.

If the authentication notification includes details about where the request originated, that could be the red flag that exposes the attack. For example, suppose your business and all employees are in New York, but the authentication email sent to your employee says the login attempt occurred in California.

In that case, it'll be clear that something suspicious is going on.

You can customize the data that comes with a notice by providing the IP address and the device used for logging in. Including more information in the notification makes the user more likely to recognize if there's a problem.

Implement trusted devices

Trusted devices are those a user has previously used to access the account. Many systems have a built-in option to implement trusted devices. Once a user clicks that a device is trusted, they will not have to go through the complex login process again when using that device. Because they should not get the MFA notification when using that trusted device, it will be an automatic red flag if they do receive one.

In some cases, the system will not allow access if a person is trying to log in from a device that is not trusted. This option works well for businesses where employees only use company-issued devices for logging in.

Change confirmation methods

The most vulnerable option for MFA is having the user click a link to verify. Instead of just clicking a link, it's better to have the user do something only the legitimate account holder can do.

One example is number matching. When the user gets the notification on their secondary device, they receive a PIN they must enter on the login screen of the device originally used to authenticate and access the account.

You might also consider eliminating passwords altogether. Instead, when logging in, the user only enters their username to trigger the MFA system to send a notification. To grant access, the system may then require biometrics—fingerprints or facial scans—or a one-time temporary password that’s unique and valid for only one session.

These alternatives help shut the door on threat actors. Without the information in the notification message, they cannot possibly get into the account because the second step must occur on the login page on the device used to access the account. With a link-only verification, the scammer can be on a different device and still get access.

Some companies use security keys similar to one-time temporary passwords. Users receive the security key outside the system through a different device and use it whenever they log in. Because the security key changes every time, there is no way for a hacker to figure it out. An MFA fatigue attack cannot bypass it since it works outside of an MFA system.

Be proactive about defending your system

Since MFA fatigue attacks rely largely on human error, preventing these attacks 100% of the time isn't completely realistic. For this reason, it's also important to have sophisticated cybersecurity technology that monitors for suspicious behavior, so you can quickly detect if a threat actor has entered your network and stop them before they can cause further damage.

Field Effect MDR is our holistic cybersecurity solution—built and managed by Field Effect's talented experts—for small to mid-sized businesses.

Choosing security solution

See how Field Effect MDR protects your business from the widest range of cyberattacks.

Watch the demo

In addition to detecting and blocking abnormal activity indicating a threat is present, Field Effect MDR also proactively resolves weaknesses so that it’s harder for an attacker to compromise your systems in the first place.

Working with a trusted partner to strengthen your system can protect your business. Contact our team today to learn more about Field Effect MDR and how it can revolutionize your business's cybersecurity.