What is an MFA Fatigue Attack and How to Prevent It

Multifactor authentication (MFA) is a useful security feature, providing an additional security barrier that can slow down hackers, who use techniques, such as social engineering, phishing attacks, and other tactics to steal data and identities. 

MFA ensures that users are who they claim to be before being granted access, requiring them to provide multiple pieces of information such as a password, username, and device ID. All the information is then verified. For instance, a username and password will have to match the user ID and password that was previously entered by the user. In addition, the device used to log into the application will also have to be used to verify the login credentials.

There are two main types of MFA: something you know and something you have. Generally, something you know is a username/password combination, while something you have can be a PIN code, smart card, or biometric factor like a fingerprint.

For multifactor authentication to be effective, it must be implemented correctly on both the client and server sides.

Level Up Your Security Skills Today

Cyberthreats are increasing not only in frequency but complexity. So the demand for professionals who can keep networks and data protected and safe remains continues to increase. You’ll find the training you need to develop and hone in-demand security skills at CBT Nuggets.

Whether you are new to cybersecurity or a seasoned network security pro, our courses can get you up to speed on the latest security technologies and best practices. Much of our online cybersecurity training maps to highly valued certifications — and covers skills that many organizations desperately need. Not a CBT Nuggets subscriber? Sign up for a 7-day free trial to get a feel of what it’s like to learn IT with us. Explore all of our cybersecurity training and start learning skills that can help you keep networks and data safe!

What is MFA Fatigue?

MFA fatigue is a hacker technique attackers use to overwhelm their victims by spamming them with authentication messages. Some users either accidentally accept one of these requests or press accept in frustration to make the annoying notifications stop. There are other terms for this type of attack, such as prompt spamming, authentication bombing, or push spam.

Although this is certainly not a new hacker tool, it has gained popularity in recent months, thanks in large part to the increased number of people that still work from home. MFA fatigue relies on repeated attacks using compromised credentials. When the username and password are entered correctly, an MFA notification is sent to the user, and the hope is that, eventually, the user will allow the attacker to gain access.

This is certainly less technical than a standard session hijacking or man-in-the-middle attack, which makes the barrier to entry much lower for opportunistic cybercriminals. If their intended victim is caught off guard, or they eventually no longer understand the seriousness of accepting an MFA notification, the attackers can potentially gain access once the request is accepted.

How do MFA fatigue attacks get carried out?

As people work from anywhere and access secure company resources MFA fatigue is on the rise. With the correct credentials of the victim, the attack is simple to pull off for hackers.

After being bombarded by MFA requests, the user may accept the request, thinking it is some kind of bug or error. When notifications are spamming a user to the point their phone cannot be used, the user will accept the request just to make it stop. That acceptance completes the login process and allows the attacker to gain access to the device. 

MFA fatigue is fairly simple to automate and scale up, which makes it an attractive target for attackers. Still, the attacker still needs to enter the user’s username and password to trigger the MFA request. 

Victims’ credentials could already be out there on the dark web. They could have been leaked during a data breach. If you use the same username and password for all your applications and logins, then you have a large attack surface. Other methods of getting these credentials are through social engineering and phishing attacks. 

Having correctly logged in with the correct username and password, a fatigued MFA attack would repeatedly spam authentication prompts and hope the other end caves or makes a mistake.

Due to this, fatigued MFA attacks cannot force the account holder to confirm their login, so they cannot guarantee success. 

Related: Implementing Automation in Cybersecurity: Benefits & Drawbacks.

How to Protect Against MFA Fatigue 

Two-factor security setups have several key weaknesses that lead to MFA fatigue. This technique becomes much less effective if you limit how many times a user can verify their identity before locking down the account. 

We can increase time limits between prompts using the same methods to prevent guessing passwords using rapid spam.

Furthermore, notifications tailored to the type of login attempt can be used instead of a universal confirmation signal (such as a static PIN) to improve MFA's resilience. 

In addition to Microsoft, several other companies plan to use a number-matching MFA method that requires users to enter their PIN instead of tapping confirm.

The bottom line is that if you are getting spammed with MFA messages, you must log into your account and change your password as soon as possible. If you change your password and you still receive MFA requests, contact your IT department ASAP so that they can check out their systems.

Want to learn more? Sign up for SEC504: Hacker Tools, Techniques, and Incident Handling with Erik Choron,” Sign up for a one-week no-strings-attached trial to check out this course and others!