A multi-factor authentication (MFA) fatigue attack is a form of a social engineering cyberattack strategy where attackers repeatedly try to make second-factor authentication requests to the target’s email, phone, or other registered devices to gain access to the system.
You may also hear about MFA Fatigue attack as MFA Bombing, 2FA fatigue, MFA push spam, MFA Spamming, or prompt bombing.
Technology administrators are always playing a never-ending battle of cat and mouse when it comes to threat actors.
They devise a way to attack a system, administrators counter and prevent this method, attackers find an alternate way, and administrators counter.
This can be in the form of applying system patches and updates or through more direct measures like configuring email filters and antivirus definitions.
They’re not always the most inventive of tactics, but if they produce results, then who’s really to judge? Case and point: MFA Fatigue.
This isn’t some illustrious security operation seen in movies where hackers clickity-clack on a keyboard and try to hack the world.
Instead, they use your security tools against your end users to bombard them with authentication requests until they finally cave and allow the action.
These requests can be either application-based or phone call based.
This form of attack has been attributed to security breaches at Okta, Microsoft, Cisco, and Uber.
It really comes down to a digital version of sibling rivalry, where the younger one would chip away at the sanity of the elder child until a fight ensued.
Except here, instead of wrestling, you end up handing your keys to your kingdom to the attacker, along with soda pop. So how did we get here, and what can we do?