MFA Fatigue: Everything You Need to Know About the New Hacking Strategy

With cybercrime on the rise, more and more organizations are implementing best practices such as multi-factor authentication (MFA) to protect their users from credential theft, phishing attempts and brute-force password guessing. To get around this added layer of protection, hacking groups have developed a new tactic: MFA fatigue relies on spamming victims with endless authentication prompts until they grant the attacker access by accident or out of sheer frustration. Read on to learn more about this approach, the anatomy of an MFA fatigue attack and what organizations can do to protect against MFA fatigue.

What Is MFA Fatigue?

MFA fatigue, also known as MFA exhaustion, 2FA fatigue, MFA push spam or prompt bombing, is a strategy used by hackers to get around multi-factor authentication when breaking into user accounts. While other approaches for circumventing MFA rely on social engineering, hijacking active sessions or man-in-the-middle attacks, MFA fatigue follows a brute force approach.

Using stolen, leaked or guessed credentials for their login attempt, the account owner is continuously bombarded with prompts asking them to verify their identity. This barrage continues until they slip up, are worn down psychologically or the attacker moves on.

You can learn more about the different ways hackers use to bypass MFA in our guide to multi-factor authentication.

How MFA Fatigue Works

Although blunt, MFA fatigue can be a surprisingly effective strategy for attackers looking to bypass the additional layer of login security. With two-factor authentication being adopted by more and more services, answering MFA challenges has become so routine that people don’t always check them closely. The daily ritual of verifying your identity over and over again can leave users drained or inattentive, something that MFA fatigue exploits in the hopes that account holders will make a mistake.

But even if the person receiving the prompt identifies the login attempt as fraudulent, the endless barrage of notifications sometimes wears them down to the point that they grant access just to make it stop. The pressure on users is especially intense on mobile devices, as continuous push notifications can make it impossible to use your phone for anything else. Not to mention that the reliance on personal smartphones for texts and authenticator apps gives attackers 24/7 access to their victim. They can keep this bombardment up for days, and they only have to succeed once.

What Does an MFA Fatigue Attack Look Like?

The first step of MFA fatigue attacks is to acquire a user’s basic login info, i.e. their email address and password. Unfortunately, this is a lot easier than you might expect: Cybercriminals have a variety of methods at their disposal when it comes to stealing user credentials. They can use leaked passwords from previous hacks to check if a person has used them across multiple applications. They can launch phishing campaigns to trick users into giving up their info voluntarily. They can even try guessing popular passwords at random until they hit a winning combination.

Once an attacker has made it past the first login step by entering the correct username and password, the second step of an MFA fatigue attack is to repeatedly spam authentication prompts and hope that the person on the other end either makes a mistake or caves under pressure. MFA fatigue attacks are not guaranteed to succeed since they cannot force the account holder to confirm the login. However, as a relatively simple strategy, MFA fatigue can be automated and scaled up fairly easily, meaning attackers often run many of these campaigns simultaneously.

How to Protect Against MFA Fatigue


Use Resilient Authentication

MFA fatigue exploits a few key weaknesses in the way organizations set up their two-factor security. For example, the technique becomes a lot less powerful if you implement increasing time limits in between prompts. Additionally, you could also limit the amount of tries a user has to verify their identity before you block further attempts. Be careful how you implement this, however, as it could be abused to execute denial of service attacks and stop all logins. Essentially, the same methods we already use to guard against guessing passwords through rapid spam also apply to MFA fatigue.

A second tweak that helps make MFA more resilient to these kinds of attacks is replacing a universal confirmation signal (such as a static PIN) with notifications that are specific to the login attempt in question. Many providers, including Microsoft, plan to switch to a number matching method for MFA: Instead of tapping confirm and entering their PIN, users are shown a number on the login screen and must enter the same number in the Authenticator app.

The advantage of the number matching approach is that users cannot grant access by accident since they don’t have the information necessary to complete the request.


Educate Your Employees

The best way to stop MFA fatigue attacks in their tracks is to make sure your staff knows what to look out for and how to respond. While most people have no trouble recognizing that something is wrong when their phone is continually buzzing with authentication attempts, they may not know what to do about this problem. Make sure that, on top of educating your employees on basic cybersecurity habits, they also know who to turn to for guidance. This way, your IT staff can walk them through the next steps, such as changing passwords on affected services.


Ease Login Fatigue

The more MFA requests your users have to answer every day, the more likely it becomes for a fraudulent prompt to slip by unnoticed. To make sure that your staff remains attentive, it can help to reduce the overall number of logins they have to perform by switching to a single-sign on (SSO) solution, passwordless authentication or a federated identity system.


Reduce Your Attack Surface With IAM

One of the most effective ways to lower the risk of fraudulent logins is to reduce the number of accounts your admins need to manage and protect. While most organizations have a process in place for providing new users with all the accounts and applications they need (i.e. user provisioning), many have no such procedure for removing accounts that are no longer necessary. This leads to a gradual build-up of orphaned accounts, whose owners have left the organization or switched to another department, but whose tokens, MFA apps and devices may have never been disabled.

Unfortunately, account maintenance can be a cumbersome and error-prone process, especially since different departments often forget to notify IT admins of relevant changes. To ensure that user accounts are kept up to date across all systems, identity & access management solutions like tenfold provide a central platform that lets you automate these kinds of adjustments.

IAM not only makes user and permission management faster and easier, but also helps you implement cybersecurity best practices such as zero trust and least privilege access. In combination with automatic user and privilege management, regular access reviews ensure that no one in your organization is left with access to resources they do not need. Learn more about the advantages of tenfold.

Video Overview

Watch Our Demo Video to See tenfold in Action!

About the Author: Joe Köller

As a content manager at tenfold, Joe Köller dives deep into topics like compliance, IT security and access management. His interests also include digital media, American literature and gardening.