A multi-factor authentication (MFA) fatigue attack is a form of a social engineering cyberattack strategy where attackers repeatedly try to make second-factor authentication requests to the target’s email, phone, or other registered devices to gain access to the system. You may also hear about MFA Fatigue attack as MFA Bombing, 2FA fatigue, MFA push spam, MFA Spamming, or prompt bombing.

Technology administrators are always playing a never-ending battle of cat and mouse when it comes to threat actors. They devise a way to attack a system, administrators counter and prevent this method, attackers find an alternate way, and administrators counter. This can be in the form of applying system patches and updates or through more direct measures like configuring email filters and antivirus definitions. They’re not always the most inventive of tactics, but if they produce results, then who’s really to judge? Case and point: MFA Fatigue.

This isn’t some illustrious security operation seen in movies where hackers clickity-clack on a keyboard and try to hack the world. Instead, they use your security tools against your end users to bombard them with authentication requests until they finally cave and allow the action. These requests can be either application-based or phone call based. This form of attack has been attributed to security breaches at Okta, Microsoft, Cisco, and Uber. It really comes down to a digital version of sibling rivalry, where the younger one would chip away at the sanity of the elder child until a fight ensued. Except here, instead of wrestling, you end up handing your keys to your kingdom to the attacker, along with soda pop. So how did we get here, and what can we do?

Hidden risks

MFASecurity

MFA Fatigue occurs when an organization is set to send out push notifications or automated phone calls to end users in order to allow an action or to authenticate themselves. Receive a call 100 times at 1 am; you’ll eventually allow it. Suppose an account protected with push MFA has been exposed. In that case, attackers continuously send authentication requests until the end-user either becomes too frustrated to deal with further requests or mistakes the request for something else.

In addition to these notifications, users have also reported getting sent emails purporting to be from tech support in an attempt to add validity to the push request. If they see a combination of multiple requests and emails from support, all it takes is half a second of memory lapse, and the user allows the request to go through.

Tips to combat against this type of attacks

Multifactor authentication is still important to your defense-in-depth policy and shouldn’t be disregarded easily. As with anything else, we need to tweak the settings to get it right. These will be dependent on the capabilities and restraints within the organization.

Turn off push notifications

This may seem like a no-brainer, but your users cannot get frustrated with push notifications if they don’t receive them. You can still require a 6-digit one-time password (OTP) from the user’s smartphone app.

Add context to your requests

Not every situation allows you to turn off push notifications. If this is the case, adding more information to your request will help the end user make a better-educated decision. Microsoft released this feature for their environment, and Google has done the same.

Change passwords!

This is more after the fact, but if your users receive many authentication requests, it’s because their login information was exposed. Enable your end-users to submit password reset requests remotely. This could be with an app, an email request, or a backup form of communication.

Spread awareness to your employees

This goes along with the previous point, but ensure your end-users are aware of risks like this. Teach them how to identify, notify, and what to do in the event they let an attacker in.

Shift to FIDO-compliant model

fido logo

FIDO authentication, developed by the FIDO Alliance, is a global authentication standard based on public key cryptography. With FIDO authentication, users sign in with phishing-resistant credentials called passkeys. These Passkeys can be synced across devices or bound to a platform or security key, and password-only logins can be replaced with secure and fast login experiences across websites and apps. Given the new nature of this, only a few organizations have adopted it.

Conclusion

Multifactor authentication is still essential to your security policy, but not all MFA implementations are the same. MFA implementing push notifications can subject your end-users to an attack called MFA Fatigue or MFA Bombing. This is a relatively new kind of attack where users relentlessly receive authentication requests or automated calls for their approval to access the account until they accept. The best ways to combat this form of attack include:

  • Turning off push notifications.

  • Adding additional information to the requests.

  • Considering a shift to a FIDO-compliant authentication model.

With some tweaking, your MFA policy can be a robust addition to your security policy. Until the next move in the game of cat and mouse, that is.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
Share
Related Posts