Increasing credential-theft incidents have compelled companies to implement multi-factor authentication (MFA) to protect their employees from the severe implications of password theft. But hackers are now carrying out MFA fatigue attacks to get around this added layer of protection.

So what is MFA fatigue? How do these attacks work? And what can you do to protect yourself?

What Is an MFA Fatigue Attack?

An MFA fatigue attack involves bombarding an account owner incessantly with MFA push notifications until they slip up or are worn down psychologically and approve the login request.

Once an MFA request is approved, hackers can access the user's account and misuse it however they want.

The main goal of such an attack is to send an endless barrage of MFA push notifications to inflict a sense of fatigue into the account owner.

In due course, this MFA fatigue makes the account owner approve the sign-in request accidentally or knowingly to stop MFA push notifications.

How an MFA Fatigue Attack Works

A Man Typing on a PC in Green Binary Background

With more and more applications and services adopting multi-factor authentication, approving MFA push notifications can become a routine task when account owners need to approve MFA requests multiple times a day. Eventually, approving MFA push notifications daily can make account owners inattentive.

Moreover, constant bombarding of MFA notifications can wear account owners down, prompting them to approve the sign-in request, simply in order to stop notifications from annoying them.

As account holders often use authenticator apps on their smartphones, hackers can target them 24/7 to wear them down.

What Happens in an MFA Fatigue Attack?

The first step of MFA fatigue attacks is getting an account user's login credentials. There are many common tricks to hack passwords, including phishing, spidering, and brute force attacks.

Once an attacker has a user's login credentials, they bombard them with multi-factor authentication prompts.

The attackers hope that:

  • The user will approve the login attempt by mistake.
  • The user will give in due to psychological pressure exerted by an endless stream of MFA requests.

MFA fatigue attacks can easily be automated. And often, social engineering is combined with an MFA fatigue attack to make the attack successful.

For example, the target user receives a phishing email requesting the user to approve the MFA request. A phishing email can also inform the target that they may get a barrage of multiple MFA requests in the coming days as a new security system is being implemented. The email can further state that MFA requests will stop once the account owner approves the login attempt.

How to Protect From an MFA Fatigue Attack

A Code Generator Device Resting on a Laptop

Here are some ways to stay safe from MFA fatigue attacks.

1. Enable Additional Context

Enabling additional context in MFA requests can offer better security and protect you from MFA fatigue attacks.

Additional context in an MFA request helps you understand which account triggered the MFA notification, the time of the day when the login attempt was made, the device used to attempt a login, and the location of the device where the login attempt was made.

If you see multiple MFA requests triggered from an unfamiliar location or device when you're not trying to log into the account, it is a sign that a threat actor is trying to spam you. You should immediately change the password of that account and inform your IT department if it's tied to a company network.

Many MFA apps have this feature enabled by default. If your authenticator app doesn't show additional context, dive into your app's settings to check if it has the option to allow additional context.

2. Adopt Risk-Based Authentication

Using an authenticator app with risk-based authentication capability can help defend against MFA fatigue attacks. Such an app can detect and analyze threat signals based on known attack patterns and adjust security requirements accordingly.

Known threat patterns include but are not limited to the unusual location of the login attempt, repeated login failures, MFA push harassment, and much more.

Check if your MFA app offers risk-based authentication. If it does, enable it to stay protected from MFA push spamming.

3. Implement the FIDO2 Authentication

Adopting the FIDO2 form of authentication in any company can prevent MFA fatigue attacks.

FIDO2 provides users with password-less authentication and multi-factor authentication based on biometrics. Since your login credentials don't leave your device, it eliminates the risk of credential theft, so threat actors cannot carry out MFA notification spamming.

4. Disable Push Notification as a Verification Method

The MFA push notifications feature is designed to offer easy-of-use. Account owners only have to click "Yes" or "Allow" to log into their accounts.

MFA fatigue attacks exploit this feature of authenticator apps. Disabling these simple push notifications as a verification method in your authenticator app is a proven way to increase MFA security.

Here are some methods that you can use to verify an MFA request:

  • Number-matching.
  • Challenge and response.
  • Time-based one-time password.

The advantage of using number-matching or time-based one-time password as a verification method is that users cannot approve an MFA request by accident; they will need the necessary information to complete the verification process.

Check your authentication app to know which MFA verification feature you can use instead of simple push notifications, prompting users to click "Yes" or "Allow" to approve login attempts.

5. Limit the Authentication Requests

Limiting the number of sign-in requests in an authenticator app can help prevent prompt bombing or MFA fatigue. But not all authenticators offer this feature.

Check if your MFA authenticator allows you to limit authentication requests; after that, the account will be blocked.

6. Spread Security Awareness Around MFA

If you run a company, the best way to thwart MFA fatigue attacks is security awareness training. Make sure that your employees know what an MFA fatigue attack looks like and what to do when it happens. Also, they should be able to spot a phishing email, requesting them to approve MFA requests.

Regularly training your employees on the best cybersecurity practices goes a long way towards protecting accounts.

Don't Get Pushed Into a Mistake

Multi-factor authentication adds an extra layer of security to your accounts. It would protect your accounts even if threat actors got access to your login credentials. But you should watch out for an MFA fatigue attack. It might be annoying, but don't cave in.