Daniel Petri

An MFA fatigue attack—also known as MFA bombing—is an attack tactic, technique, and procedure (TTP) in which a threat actor floods users with multifactor authentication (MFA) requests. By overwhelming, confusing, or distracting the user into approving a fraudulent request, attackers hope to gain access to your network environment.

Microsoft recently noted that by mid-year 2023, it was observing almost 6,000 MFA fatigue attempts per day. Learning what these attacks look like and how to defend against them is a smart move.

What is MFA?

Multifactor authentication (MFA) is a security measure that requires users to provide two or more distinct types of identification to access an account or system. This approach enhances security: Even if one authentication factor is compromised, the additional factors can prevent unauthorized access.

What is MFA fatigue?

Most users understand the value of MFA. But many have tired of the numerous push notifications that make up the modern workday. MFA fatigue occurs when users are so overwhelmed by notifications that they no longer give each one their full attention.

An MFA fatigue attack isn’t a direct means of bypassing MFA. Rather, this TTP exploits human error and fatigue during the MFA process. The approach capitalizes on the trust users place in MFA and their subsequent expectation that any MFA prompt is a legitimate request.

Often, the attacker expects that the user will approve a fraudulent request amidst a flood of legitimate ones. MFA fatigue attacks emphasize the importance of not only having MFA in place but also training users to be cautious and discerning about the MFA requests they approve.

The danger of MFA fatigue attacks

MFA fatigue attacks, while often subtle in execution, carry profound implications for safety and trust dynamics within your organization. These attacks not only directly threaten your digital security, they also negatively affect users’ confidence and mental state.

Here are some potential consequences of an MFA fatigue attack.

  • Unauthorized access: One immediate danger of MFA bombing is a potential breach of secure resources. Suppose that a user mistakenly approves a rogue MFA request. Attackers can exploit this lapse to gain unauthorized access to sensitive data, systems, or applications. A successful MFA fatigue attack not only puts your organization’s proprietary information at risk, but it can also have legal and financial repercussions.
  • Denial of service: MFA is primarily perceived as a security measure to protect access. Ironically, MFA bombing can leverage that process to deny access. By overwhelming the system with a multitude of MFA requests, attackers can cause a gridlock, preventing legitimate users from accessing their accounts. Such a scenario can be particularly damaging if time-sensitive operations or critical business processes are interrupted.
  • Erosion of trust: Perhaps the most insidious impact of MFA bombing is its long-term effect on user perception and trust. Every false or unnecessary MFA request serves as a reminder of the vulnerability of the system. Over time, with frequent false alarms, users might start doubting the efficacy of the MFA system. This reduced trust can breed complacency, making users even more susceptible to future MFA fatigue attacks. Moreover, if users come to see MFA as a constant source of interruptions and confusion rather than an essential security measure, they might become more inclined to circumvent or resist it.

How does an MFA fatigue attack work?

By understanding the mechanisms that adversaries employ, ranging from deceptive phishing campaigns to strategically timed attempts, security teams can better prepare and defend against these insidious threats.

  • Phishing-based initiation: The attacker begins by sending phishing emails designed to capture the user’s primary credentials. When the attacker has those credentials, they initiate the MFA bombing process.
  • Rapid request generation: Using automated tools or scripts, the attacker rapidly fires off multiple login attempts. Each attempt triggers an MFA request to the user. The aim is to create a deluge of MFA prompts and MFA fatigue.
  • Masked malicious requests: Amidst the legitimate MFA requests arising from the attacker’s login attempts, the attacker might intersperse malicious MFA requests for a different account or service. The attacker hopes that in the confusion, the user approves the wrong request.
  • Timing: The attacker can strategically time the attack for a time when the user might be distracted, such as during the start of a workday or just after a lunch break.

Examples of an MFA fatigue attack

MFA fatigue attacks seem to be a favorite of the Lapsus$ attack group, which used the TTP against Uber in 2022. Cisco has also been an MFA fatigue target, as have various businesses and government organizations.

How might an MFA attack play out? Consider these examples.

  • Push notification overload: An employee uses a mobile app for MFA, which sends push notifications for approval. An attacker, after obtaining primary login credentials through a separate phishing campaign, initiates a barrage of login attempts. The employee’s phone is flooded with push notifications. In the ensuing confusion, the employee inadvertently approves a malicious login attempt to a sensitive system or data repository.
  • SMS code confusion: An employee receives MFA codes via SMS. An attacker, armed with the employee’s primary credentials, starts the login process multiple times in quick succession. The employee’s phone is bombarded with SMS codes, making it difficult to discern which one is genuinely required for a legitimate action they are trying to perform. Amidst the chaos, they might use a code sent by the attacker for a malicious login.
  • Legitimate service masking: An employee uses multiple services that all rely on the same MFA app for authentication. An attacker initiates multiple logins on a less critical service, flooding the MFA app with requests. Hidden among these requests is one for a more sensitive service. The overwhelmed employee mistakenly approves access to this critical service.

Fighting MFA fatigue

In the intricate game of cyber defense, understanding and combating evolving threats requires a blend of user awareness and robust technological safeguards. Consider these tactics to help counter MFA fatigue attacks.

  • Number matching: If an MFA challenge requires a number match, the user must have visibility to the originating authentication session—which cannot happen in an MFA fatigue attack.
  • Geolocation: Presenting geolocation information, even when inexact, as part of the MFA challenge provides more context for the user. If a user located in Los Angeles gets a push request with a geolocation of Copenhagen, they can recognize something phishy about the request.
  • User training: The human element remains one of the most vulnerable aspects of any security strategy. Therefore, comprehensive user training is paramount. This involves not only familiarizing users with the concept of MFA fatigue attacks but also instilling habitual caution. Regular workshops, simulated attacks, and consistent reminders can help users recognize suspicious activity. By verifying the context of each MFA request, your employees can significantly reduce the chance of mistakenly granting access.
  • Rate limiting: One of the most effective technical countermeasures is rate limiting. By setting a threshold on the number of MFA requests allowed within a set period, you considerably reduce attackers’ ability to flood users with notifications. This approach not only hinders attackers’ ability to confuse the target but also provides a layer of protection against potential brute-force attack attempts.
  • Logging and monitoring: Continuous and thorough logging of authentication attempts serves a dual purpose. First, by maintaining a detailed record, organizations can conduct post-incident analysis to understand and address vulnerabilities. Secondly, real-time monitoring tools can assess these logs and use machine learning or heuristic analysis to detect patterns consistent with an MFA fatigue attack. When such patterns emerge, automatic alerts can notify security teams to investigate further.
  • Feedback mechanism: Empowering users to be an active part of the defense strategy can be incredibly effective. By setting up an easy-to-use feedback mechanism, users can quickly report suspicious MFA prompts or other anomalies. This capability not only helps IT teams receive immediate alerts about potential threats but also fosters a security-conscious culture in which every individual feels responsible for safeguarding digital assets.

Beating MFA fatigue

MFA bombing presents a multifaceted challenge, contrasting the technological advancements of security with the vulnerabilities of human behavior. Through tactics like phishing, rapid request generation, and masked malicious requests, attackers have weaponized a tool meant to protect users.

MFA remains a robust defense mechanism, but its effectiveness can be compromised when users are overwhelmed or undertrained. The key to combating MFA fatigue lies not just in technological countermeasures but in user education and empowerment.

By fusing awareness with proactive defenses such as rate limiting and feedback mechanisms, organizations can uphold the sanctity of their security systems while fortifying users against exploitation. Awareness, vigilance, and continuous adaptation remain your best allies.