The common maxim in cybersecurity is that the industry is always on the back foot. While cybersecurity practitioners build higher walls, adversaries are busy creating taller ladders. It’s the nature of the beast.
A prime example is multi-factor authentication (MFA), a security process that requires users to verify their identity in two or more ways, such as a password, a code sent to their phone, or a fingerprint. Many are adopting these tools to protect their digital assets, but malefactors are honing their strategies to undermine this critical layer of security.
Unfortunately for the industry, to err is human, and people are susceptible to all sorts of manipulation of their natural biases and behaviours. This has seen MFA fatigue emerge as a dangerous threat, because this type of attack exploits a basic yet powerful vulnerability: human behaviour.
In this blog, we’ll look at the concept of MFA fatigue, how bad actors exploit it, and what entities can do to strengthen defences against this cunning tactic.
MFA Fatigue: The ‘I Give Up’ Button in Cybersecurity
While MFA is extremely effective at preventing unauthorized access, it is not impervious to abuse.
MFA fatigue attacks, also known as push bombing or notification spamming, leverage a person’s psychological state to bypass security protocols.
Attackers flood their intended victim with repeated MFA prompts, often in quickfire succession, hoping to overwhelm or frustrate them into approving one of the requests—unwittingly granting access. Knowing people have limited patience, particularly with digital interruptions, bad actors exploit this by bombarding users relentlessly.
The victim might eventually approve the request just to end the nuisance, often mistaking it for a system glitch or routine error.
Other Ways Threat Actors Exploit Human Behaviour
In addition to fatigue attacks, malefactors weaponise social engineering. MFA fatigue is often coupled with social engineering—an attacker might contact the victim, masquerading as IT support, and advise them to approve the prompt to “resolve an issue.”
The combination of push spamming and social engineering fuels a compelling scene where the victim feels under pressure to comply.
Cybercriminals are clever. Exploiting weaknesses is the name of their game, and they are strategic about when to launch MFA fatigue attacks. Late at night or during busy periods, when users are less alert, distracted, or likely to prioritise convenience over caution, are prime times for these attacks.
Cybercriminals also exploit cognitive biases like confirmation bias and trust in systems. Victims may assume repeated prompts are an indication that the action is legitimate reinforcing the false notion that approving one will resolve the problem.
The Playbook of an MFA Fatigue Exploit
To understand how bad actors exploit MFA fatigue, let’s break down the step-by-step strategy behind this cunning method.
- Initial Compromise: Malefactors first gain access to the victim’s credentials through phishing, brute force attacks, or dark web marketplaces. However, they hit a stumbling block when MFA stops them from logging in directly.
- MFA Bombing: Armed with the compromised username and password, they initiate a login attempt and trigger an MFA prompt. They repeat this process relentlessly, sometimes even hundreds of times.
- User Approval: At their wit’s end or misled, the target eventually gives in and approves one of the prompts, granting the attacker the keys to the kingdom.
- Lateral Movement: Once inside, crooks may escalate privileges, exfiltrate sensitive data, or deploy ransomware and other malicious tools.
Many organisations, including financial institutions and healthcare providers, have fallen victim to MFA fatigue attacks.
For instance, in 2022, Uber experienced a significant security breach attributed to MFA fatigue. The criminal used stolen credentials and push spamming to target an employee, who eventually approved a request. Once inside, the attacker gained access to sensitive systems and data, exposing the ride-hailing giant to regulatory scrutiny and financial damage.
When Too Much Security Is a Problem
As MFA becomes the standard practice, malicious actors are investing in finding the weak chinks in its armour. MFA fatigue is simply a natural evolution in their tactics—targeting the human element instead of trying to bypass the technology itself.
Unlike sophisticated malware or zero-day exploits, these attacks don’t need a lot of technical expertise. With stolen credentials readily available on the dark web, even relatively inexperienced cybercriminals can carry out these attacks.
Cyber crooks often bank on organisations thinking of MFA as a silver bullet for account security, but it isn’t. It is only one layer of defence, and over-reliance can create blind spots that can be exploited.
How to Beat MFA Fatigue Before It Beats You
As with almost every other aspect of cybersecurity, the first line of defence is awareness. Entities should train their staff to recognise MFA fatigue attacks and understand the importance of denying unauthorised prompts, no matter how persistent they may be. Clear protocols for reporting anomalous activity should also be established.
Advanced authentication systems can analyse contextual factors, like location, device, and login behaviour, to detect anomalies. If an MFA request comes from a strange device or location, the system can flag it or insist upon additional verification.
Certain MFA solutions let users limit the number of push notifications they receive. Restricting repeated prompts can prevent the fatigue that comes from being drowned in floods of requests.
Phishing-resistant MFA methods, such as FIDO2 tokens or biometrics, take the need for approval prompts out of the equation altogether. These methods are less susceptible to fatigue attacks because they require physical interaction or integral user characteristics.
There’s also risk-based authentication that dynamically adjusts security requirements based on the perceived risk of a login attempt. High-risk scenarios will trigger additional verification steps, limiting the impact of purloined credentials.
Other systems are able to implement time-out policies that temporarily lock accounts after a set number of failed login or MFA attempts—an approach that restricts the effectiveness of spamming techniques.
Finally, security teams need to actively monitor for unusual login attempts or excessive MFA prompts. There are also a slew of automated tools able to detect and respond to potential MFA fatigue attacks on the fly.
A Cornerstone, Not a Standalone
By understanding the tactics behind MFA fatigue and implementing robust defences, firms can cut the risks and reinforce the integrity of their security systems.
MFA will always be a cornerstone of account security, but it is not a standalone solution. A mix of technical measures, user education, and proactive monitoring builds a layered defence that limits vulnerabilities.
As the black hats tweak their TTPs, security practitioners must stay a step ahead, and make sure that even the most subtle exploitation of human behaviour does not compromise critical systems.
Entities should treat MFA fatigue attacks as a wake-up call: cybersecurity is not just about technology but also about understanding and addressing the psychology of users.
