What is an MFA Fatigue Attack & How to Prevent Them

First of all, what is multi-factor authentication?

Before we get to answering the question of “what is an MFA fatigue attack?”, we need to understand what multi-factor authentication is.

Multi-factor authentication is a method of credential authentication that requires the user to provide two or more methods of verification (authentication factors) in order to access an account or a device. Once the correct factors of authentication have been verified, the user is free to do whatever they need to within the device or account.

One of the most common forms of MFA is two-factor authentication (2FA) is and as the name suggests, it requires two factors for authentication! The first is usually a username and password combo, which when entered will send a prompt to the user to provide the second of their pre-set authentication factors. This will be something the user has, knows, or is.

• Has – a smartphone linked to the account being accessed
• Knows- a password or answer to a question
• Is- biometric data, such as facial recognition or fingerprint

The most common of these factors of authentication is the “has” factor. Once the username and password have been entered, the user will receive a push notification to their linked smartphone which will ask them to verify the login attempt.

In doing so, they verify that they have in their possession the smartphone and this will grant them access to the account on the initial device used to enter the first set of authentication factors.

What is an MFA fatigue attack?

MFA fatigue attacks have a few aliases, they are often referred to as MFA bombing, MFA spamming, or MFA push spam. An MFA fatigue attack is a hacking strategy to get around the security offered by systems using multiple authentication factors.

Using ill-gotten credentials, bad actors attempt to log in to a victim's account and then spam them with the push notifications that prompt them to verify their identity. The hope is that the individual will be so sick and tired (fatigued) of the constant notifications that they eventually slip up or click verify by accident.

The victim may be completely unaware that there is a bad actor behind the rapid-fire notifications. They may think that it's simply an app malfunction or a part of a system test. The hacker may even contact the victim, posing as tech support to trick them into accepting the authentication factors prompt. This is exactly how bad actors gained access to the Uber network in 2022.

Three main stages of an MFA fatigue attack

User credentials are “collected”: Where many other cyberattacks are to steal a user's credentials, in an MFA fatigue attack, the hacker already has them. They may have already used another phishing tactic to get hold of them, or they've been exposed in a data breach or bought from the dark web. Either way, it all begins with the victim's username and password.

Using the credentials, the MFA push notifications begin: A threat actor will then use the ill-gotten credentials to sign into the victim's account which is secured with multiple factors of authentication. This will trigger a push notification being sent to the victim, either by SMS, email, or desktop notification, but the most common method is via a smartphone app. The attacker will run a script that will repeatedly send these push notifications in quick succession.

Endless push notifications “fatigue” the victim: The victim is now receiving an endless stream of push notifications. The aim is to eventually overwhelm the victim so that they accidentally, or out of frustration, push “yes” to confirm their identity. This will inadvertently allow the bad actor access to their account or device. They may have stopped the notifications, but in a MAF attack, this is just the beginning of their troubles.

MFA fatigue attack prevention

As an individual, your first protection method against MFA bombing is good password hygiene. Create strong passwords of 12 characters or more (with a combination of lowercase, capitals, numbers, and symbols), and change passwords regularly, or immediately if they've been involved in a data breach.

This will reduce the risk of the hackers having the right credentials to even begin the first stage of an MFA fatigue attack. Cut them off at the source!

The other thing you can do as an individual is to check if the account or app has alternative MFA login options other than push notifications. If you can switch to a one-time password or biometrics as the second verification method will also offer better protection against MFA fatigue attacks.

For organizations, the consequences of an employee falling victim to an MFA fatigue attack may have devastating effects on the entire business, putting not only your company at risk but your staff and all of your customers. But there are a few things businesses can implement to protect themselves, their team, and their customer base.

By tightening MFA parameters, organizations can optimize authentication factors and enhance security. Steps such as limiting the number of unsuccessful access attempts allowed within a set timeframe, or simply increasing the number of verification factors to gain access can help, for example, adding geolocation or biometric requirements.

MFA fatigue attacks are just one piece of the hacking puzzle and can lead to all sorts of other criminal activities such as identity theft, fraud, and account takeover.

Check out our article: Account Takeover Attacks: Detection and Prevention. The more you know, the better protected you can be!