What are MFA fatigue attacks?

How do MFA fatigue attacks work?

An MFA fatigue attack requires the threat actor to have already compromised the victim’s credentials. This can occur through phishing, buying them from a darknet marketplace, shoulder surfing and a host of other ways. Once an attacker has the target’s log-in information, they continuously attempt to sign in with the compromised credentials, hoping to overwhelm the target with a wave of MFA prompts. The attackers succeed if the target approves the second authentication factor. This often happens either accidentally, or if the user is frustrated and just wants to get the MFA prompts to stop. Ultimately a successful MFA fatigue attack allows the attacker to take over the account.

MFA fatigue attacks are more common when the authentication factor relies on push notifications that can be approved with the simple press of a button, such as when a push notification pops up on the screen with something like, “Device X is attempting to sign in to Y. Allow or deny?”. This is because victims may accidentally press the button, approving a login unintentionally. MFA mechanisms that require users to actively type in a code are more resistant to MFA fatigue attacks because these approvals can’t happen by accident.

Sometimes, MFA fatigue attacks are combined with the attacker pretending to be from tech support. They use this air of legitimacy to trick the user into approving the authentication.

How to defend against MFA fatigue attacks?

One of the first lines of defense should be ensuring secure password practices to limit the chances of attackers ever reaching a stage where MFA fatigue attacks are viable. This includes:

• Requiring strong and unique passwords for each account.
• Forcing password changes if there is a suspected compromise.
• General password hygiene, such as an awareness of shoulder surfing, not leaving passwords on a Post-it note, etc.

To stop MFA fatigue attacks themselves, our options include:

• Training and awareness – It’s hard for users to protect themselves against MFA fatigue attacks if they don’t know about them. By training them in these attacks, users can be primed to be more suspicious when they do receive unsolicited MFA prompts.
• Using MFA mechanisms that require users to type in the code – If access can be granted by simply pressing “Allow” on a push notification, users may sometimes allow unauthorized access by accident. If they have to go through the process of typing out each number in a one-time password (OTP), it won’t happen accidentally. The process may also give the user a few moments to think, “Wait a minute… I didn’t just try to log in. Why am I receiving this?” This could be enough for the user to stop the attack, rather than absentmindedly approving it.
• Limit the number of MFA access attempts – Users often experience errors when they are trying to authenticate, so needing multiple attempts isn’t necessarily suspicious. However, it can be good to lock out users for a set period after a specific number of failed attempts, such as 10. This won’t impact legitimate users too much, but it can make automated attacks incredibly difficult.