Government sources like NIST and CISA regularly point out how implementing multifactor authentication (MFA) is a cybersecurity best practice for securing user accounts. By taking a layered approach to account access, MFA requires users to provide two or more categories of evidence to verify their identities and access their registered accounts on various apps and services. And for the most part, this is solid advice—MFA works far better than just relying on passwords to authenticate accounts.
However, demonstrating their relentless adaptability, threat actors now actively target certain implementations of MFA with a new strategy dubbed MFA fatigue. Read on to find out what MFA fatigue is and how to mitigate this emerging threat.
MFA fatigue is a cyberattack that uses a brute-force approach to bombard users with notifications or prompts in an attempt to circumvent MFA security controls. There is a social engineering element at play with MFA fatigue because its success is partly predicated on inducing either frustration or human error.
As a reminder, MFA requires two or more combinations of:
Organizations usually try to balance security and user experience by combining the first factor with either of the other two. In practice, compliance headaches and other challenges with biometric data mean that a combination of something the user knows and something the user has is the most common type of MFA implementation.
MFA fatigue only works if the malicious actor carrying out this strategy first gets access to something the victim knows, which is usually their username-password credentials. It’s perhaps unsurprising that these credentials might be easily available in a world where there are 24 billion stolen credentials circulating on the dark web. Moreover, threat actors craft increasingly advanced phishing emails that dupe people into revealing their credentials under any number of pretenses. Finally, low levels of cyber awareness among many businesses and individuals mean that users still choose easy-to-guess passwords.
Armed with the correct set of credentials, threat actors have figured they can sometimes get around MFA when it’s configured to send push notifications to a user’s smartphone app in order to approve logins (this would be something the user has; a smartphone with an application on it). By simply spamming the user with dozens of push notifications, the hope is that a login attempt eventually gets approved.
Aside from the possibility of a target simply tiring of push requests and eventually approving one just to make them disappear, it’s also possible to increase the chances of success with MFA fatigue through additional social engineering. The perpetrator could send an email purporting to be from the IT department, asking the victim to accept the login approval request.
While MFA fatigue lacks technical sophistication as a cyber threat and arguably has a low success percentage, it’s easy to scale and even automate, which adds to its danger.
Before getting to mitigation tips, here is a brief overview of some real-world cyber incidents and the prominent role MFA fatigue played in them.
A September 2022 breach of the ride-hailing app Uber began with the perpetrator purchasing or downloading an Uber contractor’s login credentials from the dark web. Having spammed the contractor with login approval requests, the attacker masqueraded as IT support, messaged the contractor on WhatsApp, and encouraged the contractor to approve the login requests.
A May 2022 ransomware attack on Cisco resulted in almost three gigabytes of data being exfiltrated from the company’s internal network. The attack started when threat actors stole credentials for a Cisco employee’s personal Google account. Synced to this Google account were corporate credentials for accessing Cisco’s internal network via a VPN. Eventual access to the network followed when the employee got bombarded with push notifications and eventually approved a login request to the VPN.
A spate of attacks originating in Russia targeted multiple government entities and businesses around the world in 2021. In some of these incidents, threat actors were observed trying to bypass MFA through multiple authentication attempts in what were probably the first instances of MFA fatigue attacks. Microsoft Office 365 accounts were specifically targeted by the threat actors.
Here are some tips for mitigating the threat of MFA fatigue:
The emergence of MFA fatigue doesn’t suddenly weaken MFA as a security measure. Any combination of two or more factors is stronger than just relying on a single factor. However, it’s clear that certain implementations of MFA carry a greater probability of being bypassed than others with these brute-force methods.