Multifactor authentication (MFA) has become a widely accepted standard for protecting access to sensitive data and systems. MFA improves security by requiring multiple forms of verification—such as something you know (password), something you have (a phone or security token), or something you are (fingerprint or facial recognition)—making it significantly harder for attackers to gain unauthorized access, even if one factor is compromised. However, cybercriminals are adapting their methods to bypass MFA systems, and a notable threat has emerged: the MFA fatigue attack.
What is an MFA fatigue attack?
An MFA fatigue attack, also known as MFA bombing or MFA spamming, involves a cybercriminal repeatedly attempting to log in to a target’s account, flooding their registered device with endless push notifications from an authenticator app. The goal is to wear down the victim’s patience and get them to approve a request without properly verifying it. When the victim approves one of these requests, the cybercriminal gains access to their account or system.
How MFA fatigue attacks work
An MFA fatigue attack typically unfolds in these steps:
Step 1: Credential theft
An MFA fatigue attack typically unfolds in these steps:
- Phishing emails that trick you into entering your account details
- Data breaches at other companies
- Purchasing stolen credentials online
- Social engineering phone calls
- Malware or keyloggers on infected computers
Step 2: Login attempts
Once cybercriminals have your login details, they try to sign in to your accounts. When the system prompts for MFA, they just keep sending requests.
Step 3: Notification bombardment
Your phone, email, or computer starts receiving dozens of authentication requests, which may come as:
- Push notifications on your phone
- Text messages with codes
- Email notifications
- Pop-ups on your computer
Step 4: Social engineering
Cybercriminals might call you or contact you via a Teams message, posing as technical support. They'll claim the notifications are part of system maintenance or a routine security test. They’ll then ask you to approve these requests.
Unfortunately, MFA fatigue attacks are alarmingly effective. For example, in September 2022, cybercriminals used MFA fatigue to breach Uber's systems. They contacted an employee via WhatsApp, pretending to be IT support, and convinced the worker to approve the repeated authentication requests. The attack was successful because the employee got tired of the constant notifications and believed the fake IT support story, giving cybercriminals access to Uber's internal systems and sensitive data.
How to safeguard your business from MFA fatigue attacks
Protecting your business from MFA fatigue attacks starts with a few key best practices.
Adjust your MFA settings
Most MFA systems allow some level of customization. To improve security and reduce risk, consider making the following changes:
- Limit login attempts: Configure your system to automatically block accounts after a set number of failed login attempts.
- Shorten authentication windows: Reduce the time between authentication prompts to prevent cybercriminals from overwhelming users with repeated requests.
- Enable location checks: Require extra verification for logins from unfamiliar or suspicious locations.
- Implement number matching: Replace simple approve/deny buttons with a system that requires users to enter a specific code.
- Implement Passkeys: If the system supports it, implementing “passwordless” authentication replaces passwords altogether and is resistant to these types of attacks which require biometrics to log in vs. relying on MFA.
Train your team
One of the most effective ways to defend against any cyberattack is through user education. Make sure your employees are aware of MFA fatigue attacks and know how to respond. Teach them to:
- Never approve MFA requests they didn't initiate.
- Only approve login attempts they initiated themselves.
- Report suspicious activity immediately.
- Hang up on callers claiming to be IT support requesting approvals over the phone.
Strengthen your password security
Since MFA fatigue attacks start with stolen passwords, strong password management is crucial. Here’s how to protect your accounts:
- Use a password manager to create unique, strong passwords for each account.
- Instead of using shared accounts, create individual accounts for each employee.
- Consider passwordless authentication options when available.
Set up access controls
Give employees only the permissions necessary for their roles. Keep admin access limited and separate from everyday accounts. Moreover, review access permissions regularly, and remove accounts for former employees or unused profiles right away.
Monitor for suspicious activity
Stay on the lookout for signs of MFA fatigue attacks, including:
- Multiple authentication requests over a short period
- Login attempts from unusual locations
- Employee reports of unexpected notifications
- Failed login attempts during off-hours
Set up alerts for these activities so you can respond quickly.
What to do if you're under attack
If you notice signs of an MFA fatigue attack, follow these tips:
- Don't approve any requests you didn't initiate.
- Change your passwords immediately for affected accounts.
- Reach out to your IT support team or managed IT services provider for help.
- Login attempts from unusual locations
- Employee reports of unexpected notifications
- Failed login attempts during off-hours
Moving beyond basic MFA
While MFA is important, consider newer security approaches that offer better protection, such as:
- Zero trust security: Treats every login attempt as untrusted, regardless of location
- Risk-based authentication: Leverages systems that analyze login behavior to identify and respond to potential threats
- Biometric authentication: Replaces traditional codes with fingerprints or facial recognition
- Hardware security keys: Uses physical devices that provide stronger authentication
Moving beyond basic MFA
MFA is a critical pillar of any strong cybersecurity strategy, but its effectiveness depends on thoughtful implementation. To combat evolving threats such as MFA fatigue attacks and other credential-based vulnerabilities, you must combine robust technical safeguards with comprehensive user education.
Protect your organization with a proactive approach to cybersecurity. Partner with the experts at Fidelis to strengthen your defenses. Schedule a call with us today to get started.
