Preventing MFA Fatigue Attacks in the Age of Push Notifications

December 15, 2023

In today's world, where everyone connects online, extra steps like multi-factor authentication (MFA) become vital for keeping business data safe

However, there's a new problem popping up: MFA fatigue attack! This happens when cyber criminals keep sending multiple security prompts that people get tired of and accidentally let them in. 

You might have faced this annoying situation or heard about it from others. It's no fun being targeted by cyberattacks, and it's more concerning when this happens in your business.

In this blog, we're going to talk about what MFA fatigue attacks are, how they happen, and how you can stop them from affecting your business. We want to ensure you have the correct information and simple, effective ways to keep your business safe from these tricky attacks.

What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is a security method where you need more than one piece of evidence to prove who you are before you can use a service, like logging into your email.

Usually, this means entering a password first and then getting a code on your phone or using your fingerprint. This makes it much harder for someone else to get into your accounts.

However, this strong defense can get breached by hackers that just won't quit through something called an MFA fatigue attack. These attacks exploit the very foundation of MFA. 

What is MFA?

MFA fatigue attack: The overload phenomenon

Imagine a typical day where you get a notification for an MFA login attempt. It's usually a simple tap on your phone to approve or deny access. But what if you suddenly start receiving an overwhelming number of these MFA notifications? This is the essence of an MFA fatigue attack.

Attackers, often skilled in social engineering, bombard a user with relentless MFA prompts. The goal is to overwhelm and fatigue the user to the point where, just to stop the incessant notifications, they might unintentionally approve a fraudulent login attempt. It's like someone constantly knocking on your door until you, tired and annoyed, finally open it.

The strategy behind these attacks is simple yet effective. The attacker doesn't need your username and password. They rely on the exhaustion of constant verification requests.

By bombing your device with MFA prompts, they wait for that one moment of weakness. And once you accidentally approve one of these requests, the attacker gains access to your account.

The overload phenomenon

Recent incidents and the rise of MFA fatigue attack

The Uber breach of 2022 is a significant example of how an MFA fatigue attack can impact even large, well-secured companies. In this incident, attackers used an MFA fatigue attack to gain unauthorized access to Uber's internal systems.

Here's a brief explanation of what happened:

• Initial access. The attackers started by gaining access to an Uber employee's credentials. This could have been through various means such as phishing, previous breaches, or other forms of hacking.

• MFA fatigue attack. With the credentials in hand, the attackers attempted to log into Uber's internal systems. However, access required MFA, which is where the fatigue attack came into play.

• Bombarding with MFA requests. The attackers repeatedly sent MFA prompts to the employee's device. These prompts are usually notifications that ask the user to confirm if they are trying to log in.

• Employee response. Due to the continuous and overwhelming number of MFA prompts, the employee eventually, perhaps accidentally or out of frustration, approved one of these requests.

• Gaining unauthorized access. Once the MFA approval was given, the attackers gained access to Uber's internal systems. From there, they could potentially have accessed sensitive data, internal communications, and other critical resources.

This incident highlights the effectiveness of MFA fatigue attacks and serves as a wake-up call for businesses of all sizes. There is a need for awareness, additional security measures, and employee training to combat such sophisticated cyberattacks.

MFA fatigue attack on Uber

The link between identity-based attacks and MFA fatigue

The connection between identity-based attacks and MFA fatigue plays a big role in today's cybersecurity challenges. Understanding this link is key to stopping MFA fatigue attacks.

In identity-based attacks, threat actors use stolen login credentials to pretend they're the real user. They combine this with an MFA fatigue attack, where they constantly send requests to wear down the user. 

The Lapsus group's activities provide a clear example of how identity-based attacks and MFA fatigue attacks are linked, highlighting a significant cybersecurity challenge.

In their operations, the Lapsus group first obtained login credentials through hacking methods. With these credentials, they could attempt to access secured accounts, but they faced the hurdle of MFA. To overcome this, they launched an MFA fatigue attack.

This example underscores the effectiveness of combining stolen credentials with a psychological attack vector like MFA fatigue. Understanding and addressing this tactic is essential for businesses looking to protect themselves from similar threats.

MFA fatigue attack  and identity-based attack

MFA fatigue attack detection and response

The first step in combating MFA fatigue attacks is detection. This often involves monitoring for unusual patterns of MFA requests.

An abnormally high number of requests, especially outside of regular business hours, can be a red flag. MFA providers and security teams should be alerted for signs of MFA bombing, a type of attack where users are bombarded with authentication requests.

These detection methods are vital for the early identification of potential threats, reducing the attack surface, and preventing unauthorized access to the account.

Response strategies for MFA attacks

Once an attack is detected, a swift and effective response is key. If an MFA fatigue attack is suspected, the first step is to temporarily suspend the MFA prompts to stop the bombardment. This allows the user and the security team to assess the situation without the pressure of ongoing requests.

Additionally, reviewing sign-in logs and MFA authentication records can help identify the origin of the attack. In some cases, changing the user’s login credentials and authentication methods might be necessary to prevent further attempts.

Detection and response strategies

Best practices for MFA fatigue attack prevention

Effective MFA fatigue attack prevention requires a strategic approach, focusing on technology, user behavior, and organizational policies. Here are key practices every business should adopt:

Educate employees

Training your team about MFA fatigue attacks and social engineering tactics is essential. 

Awareness programs should focus on how cybercriminals exploit human psychology, enabling employees to recognize and resist attempts like MFA bombing. Regular updates and drills can keep this knowledge fresh and applicable.

Limit MFA requests

Minimizing unnecessary authentication requests reduces the chances of fatigue. By analyzing the necessity of each MFA prompt, you can avoid overwhelming users with excessive notifications, thereby lowering the risk of accidental approvals.

Diverse authentication methods

Using various MFA methods, such as biometrics, security keys, or mobile prompts, makes it harder for a hacker to exploit. This diversity not only adds layers of security but also offers flexibility to users, reducing the monotony of repetitive 2FA prompts.

MFA best practices

Defend your business against MFA fatigue

Safeguarding your business from MFA fatigue attacks is non-negotiable. These relentless security prompts may catch you off guard, but fret not—swift action can be your ally.

With early detection and response, you can outsmart attackers and keep your business fortress secure. Educate your team, minimize unnecessary requests, and spice up your authentication methods to ward off these cunning attacks.

Don't let MFA fatigue be the villain in your business's cybersecurity story. Reach out to us! We'll ensure your digital realm remains safe and sound.

Defend your business with AlwaysOnIT

Frequently asked questions

How do MFA fatigue attacks work?

MFA fatigue attacks work by sending numerous MFA requests, often in the form of MFA push notifications, to a victim's device. The continuous spamming of these requests aims to exhaust the victim, making them more likely to approve a malicious login attempt.

Are MFA fatigue attacks a recent phenomenon? 

MFA fatigue attacks have been observed for some time, but they gained prominence in cybersecurity discussions, notably in September 2022 following the Uber breach. The attackers in this incident used an MFA fatigue attack to gain unauthorized access to Uber's internal systems.

What are the common attack methods used in MFA fatigue attacks?

Attackers often initiate the MFA fatigue attack by obtaining a victim's login credentials through various means, such as phishing or hacking. Once they have these credentials, they repeatedly send MFA requests to the victim's device.

How can organizations protect against MFA fatigue attacks?

Organizations can take several steps to defend against MFA fatigue attacks, including educating employees about these attacks, limiting unnecessary MFA requests, diversifying authentication methods, and employing adaptive MFA systems to manage prompts more effectively.

Are there any signs to detect an ongoing MFA fatigue attack?

Yes, monitoring for unusual patterns of MFA requests, especially an abnormally high number of requests outside of regular business hours, can be a sign of an MFA fatigue attack. MFA providers and security teams should be alert for such signs.