How to Prevent MFA Fatigue Attacks – Technologist
As organisations increasingly digitise and manage various passwords across various systems and applications, Identity and Access Management (IAM) has become a cornerstone of cybersecurity. A key component of IAM is Multi-Factor Authentication (MFA), a security measure that enhances login security by requiring users to verify their identity through multiple authentication factors. Unlike two-factor authentication (2FA), which uses only two forms, MFA can incorporate several types of authentication, such as something you have (e.g., a mobile device), something you know (e.g., a password), or something you are (e.g., a fingerprint). Here’s why you should try prevent MFA fatigue attacks:
What are MFA fatigue attacks?
In today’s landscape, MFA is often viewed as the minimum security measure an organisation can implement and is crucial to a zero-trust framework. The importance of MFA was underscored by a significant breach in 2023 at the genetic data-sharing company 23andMe, where the lack of MFA enabled a credential-stuffing attack to succeed.
Companies are beginning to use MFA
Fortunately, the adoption of MFA is on the rise. In 2022, 58% of organisations engaged during Business Email Compromise (BEC) incidents lacked MFA. That number dropped to 25% in the first quarter of 2024.
However, while MFA is essential, it could be better. MFA fatigue attacks are becoming increasingly common, especially as the volume of stolen credentials grows and attackers use these credentials in their initial attack methods.
What Is MFA Fatigue?
MFA fatigue, also known as “prompt bombing,” “push bombing,” or “notification fatigue,” occurs when an attacker bombards a victim with MFA notifications to the point of overwhelming them. This attack can only happen if the threat actor already has the target’s credentials, typically obtained through previous compromises such as phishing, brute force, or password spraying.
MFA fatigue attacks are often employed during the initial access phase of an attack, particularly in BEC incidents. However, they can be used at any stage when an attacker seeks access to specific accounts or applications. These attacks are also effective for lateral movement or privilege escalation within a network.
How Does an MFA Fatigue Attack Occur?
An MFA fatigue attack unfolds in the following stages:
Credential Acquisition: The attacker gains the victim’s login credentials through social engineering, theft, or purchasing them on the dark web.
MFA Prompting: The attacker enters the stolen credentials into a login screen and sends an MFA prompt to the victim’s device.
Notification Bombardment: If the victim does not immediately approve the prompt, the attacker repeatedly sends MFA requests, creating “fatigue” in the victim.
Access Gained: Once the victim finally approves a request to stop the notifications, the attacker gains access to all MFA-protected resources.
What happens if you fail to prevent an MFA fatigue attack?
A notable example of an MFA fatigue attack occurred in 2022 when a teenage hacker targeted the transportation giant Uber. The attacker sent multiple MFA notifications to a single user and then contacted them via WhatsApp, posing as internal IT. By convincing the user that the prompts were legitimate, the attacker gained access and escalated the attack.
Combining multiple social engineering tactics, such as smishing and MFA fatigue, is a common strategy for building trust and manipulating targets.
How to Prevent MFA Fatigue Attacks
Organisations and individuals can take several steps to prevent MFA fatigue attacks:
Limit MFA Notifications: Restrict the number of MFA notifications users receive within a specific timeframe. This can prevent prompt bombing by stopping the attacker from sending multiple MFA requests.
Disable MFA Push Notifications: Consider replacing simple “yes” or “no” MFA prompts with more complex authentication methods. Most MFA providers allow disabling push notifications in favour of challenge-response or time-based one-time password (TOTP) methods.
Implement Web Authentication: Add a web authenticator to your environment for the highest level of MFA security, provided your applications and devices are compatible.
Add Context to MFA Logins: Enhance MFA security by incorporating additional factors such as geolocation tags, fingerprint requirements, session history limits, or behavioural analytics. These measures can reduce the likelihood of an automatic “yes” response and lower the success rate of MFA fatigue attacks.
Include MFA Fatigue in Security Awareness Training: Ensure your security awareness training covers MFA fatigue attacks. Educate users to be cautious and report unauthorised MFA access attempts.
Invest in Monitoring Solutions: Use a detection and response solution, such as Managed Detection and Response (MDR), to monitor identity systems for unusual login activities, including repeated MFA prompt activations or suspicious behaviour post-login.
Strengthen Your IAM Framework: While MFA is essential, it should not be your only identity security tool. Implement a robust IAM framework that includes zero trust principles, Identity Detection and Response (IDR) policies, and monitoring technologies that cover identity sources to prevent credential or identity attacks.
By following these steps, organisations can significantly reduce their risk of being victims of MFA fatigue attacks and strengthen their overall cybersecurity posture.