MFA Fatigue: Everything You Need to Know About the New Attack Method

With cybercrime on the rise, more and more organizations are implementing best practices such as multi-factor authentication (MFA) to protect their users from credential theft, phishing attempts and brute-force password guessing. To get around this added layer of protection, hacking groups have developed a new tactic: MFA fatigue relies on spamming victims with endless authentication prompts until they grant the attacker access by accident or out of sheer frustration. Read on to learn more about this approach, the anatomy of an MFA fatigue attack and what organizations can do to protect against MFA fatigue.

What Is MFA Fatigue?

MFA fatigue, also known as MFA exhaustion, 2FA fatigue, MFA push spam or prompt bombing, is a strategy used by hackers to bypass multi-factor authentication when breaking into user accounts. While other approaches for circumventing MFA rely on zero day vulnerablities, social engineering, hijacking active sessions or man-in-the-middle attacks, MFA fatigue follows a brute force approach: Using stolen, leaked or guessed credentials for their login attempt, attackers continuously bombard the account owner with prompts asking them to verify their identity. This barrage continues until they slip up, are worn down psychologically or the attacker moves on.

What Is Multi-Factor Authentication?

Authentication is the process of verifying your identity when logging into a device or service. Traditionally, this is done through a combination of username and password (single-factor). However, passwords are a weak form of authentication since they can be guessed, stolen or phished fairly easily. To avoid compromised accounts, most services now require additional verification through two-factor authentication (2FA) or multi-factor authentication (MFA).

Authentication methods (factors) include:

  • Knowledge: Passwords, security questions, PIN codes

  • Possession: Keycards, Smartphone apps, authenticator keys

  • Inherence: Biometric data, face recognition, fingerprints, voice recognition

How MFA Fatigue Works

Although blunt, MFA fatigue can be a surprisingly effective strategy for attackers looking to bypass the additional layer of login security. With two-factor authentication being adopted by more and more services, answering MFA challenges has become so routine that people don’t always check them closely. The daily ritual of entering one-time passwords over and over can leave users inattentive, something that MFA fatigue exploits in the hopes that account holders will make a mistake.

But even if the person receiving the prompt identifies the login attempt as fraudulent, the endless barrage of notifications sometimes wears them down to the point that they grant access just to make it stop. The pressure on users is especially intense on mobile devices, as continuous push notifications can make it impossible to use your phone for anything else. Not to mention that the reliance on personal smartphones for texts and authenticator apps gives attackers 24/7 access to their victim. They can keep this bombardment up for days, and they only have to succeed once.

What Does an MFA Fatigue Attack Look Like?

The first step of MFA fatigue attacks is to acquire a user’s basic login info, i.e. their email address and password. Unfortunately, this is a lot easier than you might expect: Cybercriminals have a variety of methods at their disposal when it comes to stealing user credentials. They can use leaked passwords from previous hacks to check if a person has used them across multiple applications. They can launch phishing campaigns to trick users into giving up their info voluntarily. They can even try guessing popular passwords at random until they hit a winning combination.

Once an attacker has made it past the first login step by entering the correct username and password, the second step of an MFA fatigue attack is to repeatedly spam authentication prompts and hope that the person on the other end either makes a mistake or caves under pressure. MFA fatigue attacks are not guaranteed to succeed since they cannot force the account holder to confirm the login. However, as a relatively simple strategy, MFA fatigue can be automated and scaled up fairly easily, meaning attackers often run many of these campaigns simultaneously.

Examples of MFA Fatigue Attacks

MFA fatigue is leveraged by a variety of adversaries and will continue to be a popular strategy as long as it remains effective. One organization that has relied on the MFA fatigue for a number of high-profile attacks is Lapsus$, a hacking group known for extortion schemes that has targeted companies like NVIDIA, Samsung and Okta in the past. Since businesses do not disclose all details of security incidents, it is not clear whether prompt spam was used in all of these attacks.

Prominent examples, where the use of MFA fatigue has been confirmed or is heavily suspected include:

  • Uber Attackers were able to access the company’s internal Slack server and vulnerability reports after repeatedly sending approval requests to a contractor, as confirmed by an official security update. The scope of the attack appears limited, in part thanks to a swift response by IT officials.

  • Microsoft – Microsoft became the victim of Lapsus$, leading to the release of 37 GB of data from an internal devops server. This leak allegedly includes most of Bing’s source code and significant chunks of Bing Maps and Cortana. While the company’s response focused on discussing Lapsus$ methods in general, many suspect that either MFA fatigue or bribery was used to gain initial access to the compromised account.

  • Cisco – The ransomware gang Yanluowang gained access to Cisco’s network through a combination of voice phishing and MFA fatigue, targeting an employee whose work credentials were synced to their personal Google account. Luckily, no ransomware was deployed before the attack was detected and contained, though hackers still managed to steal roughly 3 gigabytes of sensitive data.

How to Protect Against MFA Fatigue


Use Resilient Authentication

MFA fatigue exploits a few key weaknesses in the way organizations set up their two-factor security. For example, the technique becomes a lot less powerful if you implement increasing time limits in between prompts. Additionally, you could also limit the amount of tries a user has to verify their identity before you block further attempts. Be careful how you implement this, however, as it could be abused to execute denial of service attacks and stop all logins. Essentially, the same methods we already use to guard against guessing passwords through rapid spam also apply to MFA fatigue.

A second tweak that helps make MFA more resilient to these kinds of attacks is replacing a universal confirmation signal (such as a static PIN) with notifications that are specific to the login attempt in question. Many providers, including Microsoft, plan to switch to a number matching method for MFA: Instead of tapping confirm and entering their PIN, users are shown a number on the login screen and must enter the same number in the Authenticator app.

The advantage of the number matching approach is that users cannot grant access by accident since they don’t have the information necessary to complete the request.


Educate Your Employees

The best way to stop MFA fatigue attacks in their tracks is to make sure your staff knows what to look out for and how to respond. While most people have no trouble recognizing that something is wrong when their phone is continually buzzing with authentication attempts, they may not know what to do about this problem. Make sure that, on top of educating your employees on basic cybersecurity habits, they also know who to turn to for guidance. This way, your IT staff can walk them through the next steps, such as changing passwords on affected services.


Ease Login Fatigue

The more MFA requests your users have to answer every day, the more likely it becomes for a fraudulent prompt to slip by unnoticed. To make sure that your staff remains attentive, it can help to reduce the overall number of logins they have to perform by switching to a single-sign on (SSO) solution, passwordless authentication or a federated identity system.


Reduce Your Attack Surface With IAM

One of the most effective ways to lower the risk of fraudulent logins is to reduce the number of accounts your admins need to manage and protect. While most organizations have a process in place for providing new users with all the accounts and applications they need (i.e. user provisioning), many have no such procedure for removing accounts that are no longer necessary. This leads to a gradual build-up of orphaned accounts, whose owners have left the organization or switched to another department, but whose tokens, MFA apps and devices may have never been disabled.

Unfortunately, account maintenance can be a cumbersome and error-prone process, especially since different departments often forget to notify IT admins of relevant changes. To ensure that user accounts are kept up to date across all systems, identity & access management solutions like tenfold provide a central platform that lets you automate these kinds of adjustments.

IAM not only makes user and permission management faster and easier, but also helps you implement cybersecurity best practices such as zero trust and least privilege access. In combination with automatic user and privilege management, regular access reviews ensure that no one in your organization is left with access to resources they do not need. Learn more about the advantages of tenfold.

tenfold demo video

Protect Sensitive Data From Unauthorized Access

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.