MFA Fatigue: Everything You Need to Know About the New Attack Method

MFA fatigue, also known as MFA exhaustion, 2FA fatigue, MFA push spam or prompt bombing, is a strategy used by hackers to bypass multi-factor authentication when breaking into user accounts. While other approaches for circumventing MFA rely on zero day vulnerablities, social engineering, hijacking active sessions or man-in-the-middle attacks, MFA fatigue follows a brute force approach: Using stolen, leaked or guessed credentials for their login attempt, attackers continuously bombard the account owner with prompts asking them to verify their identity. This barrage continues until they slip up, are worn down psychologically or the attacker moves on.

Authentication is the process of verifying your identity when logging into a device or service. Traditionally, this is done through a combination of username and password (single-factor). However, passwords are a weak form of authentication since they can be guessed, stolen or phished fairly easily. To avoid compromised accounts, most services now require additional verification through two-factor authentication (2FA) or multi-factor authentication (MFA).

Authentication methods (factors) include:

Although blunt, MFA fatigue can be a surprisingly effective strategy for attackers looking to bypass the additional layer of login security. With two-factor authentication being adopted by more and more services, answering MFA challenges has become so routine that people don’t always check them closely. The daily ritual of entering one-time passwords over and over can leave users inattentive, something that MFA fatigue exploits in the hopes that account holders will make a mistake.

But even if the person receiving the prompt identifies the login attempt as fraudulent, the endless barrage of notifications sometimes wears them down to the point that they grant access just to make it stop. The pressure on users is especially intense on mobile devices, as continuous push notifications can make it impossible to use your phone for anything else. Not to mention that the reliance on personal smartphones for texts and authenticator apps gives attackers 24/7 access to their victim. They can keep this bombardment up for days, and they only have to succeed once.

The first step of MFA fatigue attacks is to acquire a user’s basic login info, i.e. their email address and password. Unfortunately, this is a lot easier than you might expect: Cybercriminals have a variety of methods at their disposal when it comes to stealing user credentials. They can use leaked passwords from previous hacks to check if a person has used them across multiple applications. They can launch phishing campaigns to trick users into giving up their info voluntarily. They can even try guessing popular passwords at random until they hit a winning combination.

Once an attacker has made it past the first login step by entering the correct username and password, the second step of an MFA fatigue attack is to repeatedly spam authentication prompts and hope that the person on the other end either makes a mistake or caves under pressure. MFA fatigue attacks are not guaranteed to succeed since they cannot force the account holder to confirm the login. However, as a relatively simple strategy, MFA fatigue can be automated and scaled up fairly easily, meaning attackers often run many of these campaigns simultaneously.

MFA fatigue is leveraged by a variety of adversaries and will continue to be a popular strategy as long as it remains effective. One organization that has relied on the MFA fatigue for a number of high-profile attacks is Lapsus$, a hacking group known for extortion schemes that has targeted companies like NVIDIA, Samsung and Okta in the past. Since businesses do not disclose all details of security incidents, it is not clear whether prompt spam was used in all of these attacks.

Prominent examples, where the use of MFA fatigue has been confirmed or is heavily suspected include:

MFA fatigue exploits a few key weaknesses in the way organizations set up their two-factor security. For example, the technique becomes a lot less powerful if you implement increasing time limits in between prompts. Additionally, you could also limit the amount of tries a user has to verify their identity before you block further attempts. Be careful how you implement this, however, as it could be abused to execute denial of service attacks and stop all logins. Essentially, the same methods we already use to guard against guessing passwords through rapid spam also apply to MFA fatigue.

A second tweak that helps make MFA more resilient to these kinds of attacks is replacing a universal confirmation signal (such as a static PIN) with notifications that are specific to the login attempt in question. Many providers, including Microsoft, plan to switch to a number matching method for MFA: Instead of tapping confirm and entering their PIN, users are shown a number on the login screen and must enter the same number in the Authenticator app.

The best way to stop MFA fatigue attacks in their tracks is to make sure your staff knows what to look out for and how to respond. While most people have no trouble recognizing that something is wrong when their phone is continually buzzing with authentication attempts, they may not know what to do about this problem. Make sure that, on top of educating your employees on basic cybersecurity habits, they also know who to turn to for guidance. This way, your IT staff can walk them through the next steps, such as changing passwords on affected services.

The more MFA requests your users have to answer every day, the more likely it becomes for a fraudulent prompt to slip by unnoticed. To make sure that your staff remains attentive, it can help to reduce the overall number of logins they have to perform by switching to a single-sign on (SSO) solution, passwordless authentication or a federated identity system.

One of the most effective ways to lower the risk of fraudulent logins is to reduce the number of accounts your admins need to manage and protect. While most organizations have a process in place for providing new users with all the accounts and applications they need (i.e. user provisioning), many have no such procedure for removing accounts that are no longer necessary. This leads to a gradual build-up of orphaned accounts, whose owners have left the organization or switched to another department, but whose tokens, MFA apps and devices may have never been disabled.

Unfortunately, account maintenance can be a cumbersome and error-prone process, especially since different departments often forget to notify IT admins of relevant changes. To ensure that user accounts are kept up to date across all systems, identity & access management solutions like tenfold provide a central platform that lets you automate these kinds of adjustments.

IAM not only makes user and permission management faster and easier, but also helps you implement cybersecurity best practices such as zero trust and least privilege access. In combination with automatic user and privilege management, regular access reviews ensure that no one in your organization is left with access to resources they do not need. Learn more about the advantages of tenfold.