As organisations continue to digitise and passwords proliferate across systems, applications, and even assets, identity and access management (IAM) has become a pillar of cybersecurity. One component of IAM has, in particular, become ubiquitous with access security: multi-factor authentication (MFA).
MFA is an access control technique that adds a layer of security to user logins and access by making the user verify their identity. MFA utilises at least two forms of authentication, unlike two-factor-authentication (2FA) which only uses two. Types of authentication factors can include something you have, something you know, and/or something you are, such as your mobile device, a security question, or a biometric scan.
In today’s complex threat landscape, MFA is often considered the minimum barrier an organisation can implement and is a vital part of utilising a Zero Trust framework. For example, 58% of BEC cases investigated by Arctic Wolf in 2022 did not have MFA in place, highlighting its value as a security tool.
However, MFA is not impenetrable. In one of the more publicised hacks of 2022, an MFA fatigue attack exposed Uber’s confidential data. This tactic is becoming more common for threat actors, especially as stolen credentials rise in volume and use in initial attack methods.
What Is MFA Fatigue?
MFA fatigue, also referred to as prompt bombing, push bombing, notification fatigue, or MFA fatigue attack, refers to the overload of prompts or notifications a victim receives via MFA applications during the attack. This technique only works if the threat actor already has the credentials of a targeted account from a previous compromise such as phishing, credential replay, brute forcing, or password spraying.
How Does an MFA Fatigue Attack Start?
Once the threat actor has a victim’s credentials, they start requesting approval for sign-in from the victim’s MFA application. The goal for the threat actor here is to repeatedly spam push notifications to the target’s phone requesting sign-in approval in the hopes that the target might believe there’s an issue with the MFA application and eventually approve a request to make the notifications stop. Once this happens, the threat actor gets access to everything the MFA application protects.
To break it down, here’s how an MFA fatigue attack works:
- The threat actor gains credentials through social engineering, theft, or through the dark web.
- The threat actor enters the credentials and sends an MFA prompt to the unsuspecting user.
- If the user does not immediately accept the prompt, the threat actor sends prompts repeatedly to create “fatigue.”
- Once the user accepts the prompt, the threat actor gains access to all applications and assets beyond that access point.
In the Uber hack, the threat actor —revealed to be a teenage hacker — sent multiple notifications to a single user, and then contacted them via WhatsApp, claiming to be internal IT letting them know the prompts were valid and to accept. With that granted access, the hacker was able to move through shared network access points, escalating the attack.
Utilising that second form of social engineering along with an MFA fatigue attack can be effective for threat actors, as it creates a false sense of trust.
MFA Fatigue and Stolen Credentials
As mentioned above, an MFA fatigue attack can only be launched once a threat actor has the correct login information. Credential theft is a rising attack vector used by cybercriminals, and according to the 2023 Arctic Wolf Labs Threat Report, “historic compromise” was listed as the root point of compromise for 7% of all incidents.
Implementing strong password hygiene and security training can prevent credential theft.
How Do You Prevent Against MFA Fatigue?
There are a few ways that organisations and individual users can prevent an MFA fatigue attack.
- Be suspicious of unprompted MFA notifications. If you, the individual, did not initiate the MFA prompt, then don’t respond to it. Other suspicious traits include if it comes at an odd hour, from an unusual locale, or if the prompt repeats itself in a short amount of time.
- Limit the number of MFA notifications allowed. Your organisation can limit how many are allowed within a certain timeframe. This will prevent prompt bombing and can prevent a threat actor from even sending an MFA prompt notification.
- Adjust or remove MFA notifications completely. If your organisation uses a prompt where a user just has to hit “yes” on the prompt, consider changing it. Most MFA providers will allow you to disable push notification requests as a verification method and use a challenge & response or time-based one-time password verification method instead for increased security.
- Explore implementing WebAuthn for MFA. For the current highest level of MFA security, your organisation should consider adding WebAuthn in your environment if your applications and devices are compatible.
- Make sure your security training program has content around MFA fatigue As it’s a relatively new topic, your security training program may not have provided content around MFA fatigue attacks, yet. This would be a good opportunity to evaluate your provider and make sure the content is in line with current threat.
- Invest in a monitoring solution that will detect unusual logins. A major benefit of a detection and response solution, such as managed detection and response (MDR), is that this technology will be able to detect if there is unusual user activity. This could include login attempts at an odd time or location, repeated MFA prompt activations, or suspicious behavior post-log in.
Learn more about how security training can prevent MFA fatigue attacks with The Complete Security Awareness Program Plan and Strategy Guide.
Explore the current threat landscape with our report on the Big Business of Cybercrime.