As organizations continue to digitize and passwords proliferate across systems, applications, and even assets, identity and access management (IAM) has become a pillar of cybersecurity. One component of IAM has become ubiquitous with access security: multi-factor authentication (MFA).
MFA is an access control technique that adds a layer of security to user logins and access by making the user verify their identity. MFA utilizes at least two forms of authentication, unlike two-factor-authentication (2FA) which only uses two. Types of authentication factors can include something you have, something you know, and/or something you are, such as your mobile device, a security question, or a biometric like a fingerprint.
In today’s complex threat landscape, MFA is often considered the minimum barrier an organization can implement and is a vital part of utilizing a zero trust framework. One of the major breaches of 2023, at the genetic data sharing organization 23andMe, was the direct result of a lack of MFA, which allowed a credential stuffing attack to succeed.
The use of MFA is, fortunately, increasing among organizations. In 2022, Arctic Wolf found that 58% of organizations our incident response (IR) team engaged with during business email compromise (BEC) incidents lacked MFA. That number has dropped to 25% in the first quarter of 2024 .
However, while MFA should be in place across an organization’s environment, it isn’t impenetrable. MFA fatigue attacks are becoming more common for threat actors, especially as stolen credentials rise in volume and are used in initial attack methods.
What Is MFA Fatigue?
MFA fatigue, or MFA fatigue attacks, are also referred to as “prompt bombing,” “push bombing,” or “notification fatigue.” Each of these names refers to the overload of prompts or notifications a victim receives via MFA applications during a threat actor’s targeted attack.
It’s important to note that MFA fatigue attacks only happen if a threat actor has the credentials of the target account from a previous compromise or social engineering attack such as phishing, brute force, or password spraying.
While MFA fatigue attacks are often used as part of the initial access phase of an attack, as commonly seen with BEC incidents, they can be used at any stage if a threat actor is trying to gain access to a particular account or application. MFA fatigue attacks can just as easily be utilized for lateral movement or privilege escalation as they can for initial access.
How Does an MFA Fatigue Attack Happen?
An MFA fatigue attack occurs when a threat actor, after entering credentials into a log in screen, begins requesting approval for sign-in from the targeted victim’s MFA application.
The goal for the threat actor here is to repeatedly send push notifications to the target’s phone requesting sign-in approval in the hopes that the target will eventually approve a request to make the notifications stop. Once this happens, the threat actor gains access to everything the MFA application protects.
An MFA Fatigue attack has the following stages:
1. The threat actor gains credentials through social engineering, theft, or through the dark web.
2. The threat actor enters the credentials and sends an MFA prompt to the unsuspecting user.
3. If the user does not immediately accept the prompt, the threat actor sends prompts repeatedly to create “fatigue” in the user.
4. Once the user accepts the prompt, the threat actor gains access to all applications and assets beyond that access point.
In 2022, one of the more high-profile MFA fatigue attacks occurred at transportation giant Uber. The threat actor — revealed to be a teenage hacker — sent multiple notifications to a single user, and then contacted them via WhatsApp, claiming to be internal IT letting them know the prompts were valid and to accept. With that access, the hacker was able to move through shared network access points, escalating the attack. It’s not uncommon for threat actors to combine multiple social engineering tactics, in this case smishing and MFA fatigue, to build trust and manipulate a target.
MFA Fatigue and Credential Theft
An MFA fatigue attack can only be launched once a threat actor has the correct login information. Unfortunately, it’s becoming easier and easier for threat actors to gain access to credentials. Verizon named credential theft as a top attack vector in their 2024 Data Breach Investigations report, and Arctic Wolf’s own research saw 7% of engagements in 2023 involved historic credential compromise.
The myriad of ways threat actors can get their hands on credentials is only increasing, and that’s being assisted by the rise in identity-centric applications and expanding attack surfaces across organizations. The same threat actor who is targeting a user during an MFA fatigue attack could also have used a phishing attack on that same user to gain credentials. Stopping credential theft is the first step in preventing MFA fatigue attacks.
How To Prevent MFA Fatigue Attacks
There are a few ways that organizations and individual users can prevent an MFA fatigue attack.
1. Limit the number of MFA notifications allowed for a given user. Your organization can limit how many are allowed within a certain timeframe. This will prevent prompt bombing and can prevent a threat actor from even sending an MFA prompt notification.
2. Adjust or remove MFA notifications completely. If your organization uses a prompt where a user just must hit “yes” on the prompt, consider changing it to a more complicated action item. Most MFA providers will allow you to disable push notification requests as a verification method and use a challenge and response or time-based, one-time password verification method instead for increased security. Single sign- on (SSO) technology also removes MFA notifications, preventing threat actors from gaining access to specific applications.
3. Explore implementing a web authenticator for MFA. For the current highest level of MFA security, your organization should consider adding a web authenticator to your environment if your applications and devices are compatible.
4. Add additional context to MFA logins. From adding a geolocation tag, a fingerprint requirement, session history limits, or even behavioral analytics, there are multiple stop-gaps organizations can put in place to prevent an automatic “yes it’s me” response to MFA authentications while reducing MFA fatigue success rates.
5. Make sure your security awareness training program has content around MFA fatigue. As it’s a relatively new topic, your security awareness training may not have provided content around MFA fatigue attacks, yet. This would be a good opportunity to evaluate your provider and make sure the content is in line with current threats. It’s important for users to be suspicious of and report unauthorized MFA access attempts.
6. Invest in a monitoring solution that will detect unusual logins. A major benefit of a detection and response solution, such as managed detection and response (MDR), is that it can detect unusual user activity through the monitoring of identity systems. This could include login attempts at an odd time or location, repeated MFA prompt activations, or suspicious behavior post-log in.
7. Create a robust identity access management (IAM) framework that includes, but operates beyond, MFA. MFA is a singular access control, and while an effective one, should not be an organization’s only identity security tool in their toolkit. From adopting a zero trust framework to implementing identity detection and threat response (ITDR) policies to ensuring your monitoring technology includes identity sources, there are multiple steps an organization can take to stop a credential or identity attack in its tracks.
Learn more about how security training can prevent MFA fatigue attacks with The Complete Security Awareness Program Plan and Strategy Guide.
Explore the current threat landscape with the Arctic Wolf Labs 2024 Threat Report.
And experience what it’s like to become an Arctic Wolf Managed Security Awareness® customer and learn how an ongoing program can reduce your organization’s human risk.
