What is MFA Fatigue Attack and How to Prevent It
MFA fatigue attacks exploit human error to bypass multi-factor authentication. Learn what these attacks are, how they work, and ways to prevent them.
2024-12-18
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
What is MFA Fatigue Attack and How to Prevent It
In 2024, cyberattacks exploiting multi-factor authentication (MFA) weaknesses increased by 40%, according to the Verizon Data Breach Investigations Report (DBIR). Additionally, a 2024 survey by the Identity Defined Security Alliance (IDSA) reported that 91% of organizations experienced identity-based attacks, underscoring these threats' growing frequency and impact.
MFA fatigue attacks prey on human psychology rather than technical loopholes. It has affected major corporations, including high-profile breaches of companies like Uber, where an attacker exploited this method to gain unauthorized access.
This attack exposes a critical vulnerability in MFA systems—the human factor. In this blog, we’ll cover what MFA fatigue attacks are, how they work, why they are so effective, and actionable strategies to protect your organization.
What is an MFA Fatigue Attack?
An MFA fatigue attack (also known as an MFA bombing attack) occurs when a threat actor repeatedly sends MFA push notifications to a user’s device, hoping to wear them down. The attacker relies on the user’s frustration or confusion to accept the authentication request inadvertently.
Instead of bypassing technical controls, this attack exploits human behavior—particularly the likelihood of approving an MFA request simply to stop the incessant notifications. This method highlights the importance of security awareness training and the need to bolster human defenses.
How MFA Fatigue Attacks Work
MFA fatigue attacks overwhelm users with constant MFA requests. Let's dive into how these attacks work and why they succeed.
| Step | Description |
|---|---|
| 1. Credential Compromise | The attacker acquires the victim’s username and password through phishing, malware, or leaked credentials. |
| 2. Push Notification Bombing | Using the compromised credentials, the attacker initiates multiple MFA requests to the victim's device. |
| 3. User Fatigue | The victim becomes overwhelmed by repeated prompts and eventually approves one of the requests out of frustration. |
| 4. Unauthorized Access | Once approved, the attacker gains access to the account or system. |
Table 1: How MFA Fatigue Attacks Work
These attacks are increasingly successful due to the high number of push notifications and the likelihood that a user will accidentally accept one, especially if they are distracted or unaware of the threat.
Why Are MFA Fatigue Attacks So Effective?
MFA fatigue attacks exploit weaknesses in human behavior and security practices. Recognizing these specific weaknesses helps in building stronger defenses. Here are some key factors that make these attacks so effective:
- Human Error: Despite robust technical measures, human error remains a weak link. According to the 2024 Verizon DBIR, the human element was a component of 68% of breaches. This happens because users often act under pressure, distraction, or misunderstanding of the situation.
- Social Engineering: These attacks rely on social engineering principles, manipulating users through fatigue, stress, or trust in fake communications. By pretending to be legitimate, attackers trick users into approving MFA prompts.
- Lack of Security Awareness: Many employees are unfamiliar with MFA fatigue attacks and don’t understand why constant prompts occur. Without security awareness, they may approve requests just to stop the notifications.
- Repeated Notifications: Attackers exploit the assumption that repeated MFA prompts are a system glitch or error. Frustrated users approve notifications to resolve the issue quickly, unaware of the danger.
Real-World Examples of MFA Fatigue Attacks
MFA bombing or prompt bombing attacks, have been employed in several notable cybersecurity breaches: Here are five significant incidents:
| Date | Organization | Description |
|---|---|---|
| September 2022 | Uber | The Lapsus$ hacking group gained access to Uber's internal systems by repeatedly sending MFA push notifications to an employee. The attacker also contacted the employee via WhatsApp, posing as IT support, and persuaded them to approve the MFA request, leading to a significant security breach. |
| May 2022 | Cisco | Attackers employed social engineering tactics, including MFA fatigue and voice phishing, to compromise an employee's credentials. By persistently sending MFA push notifications, they eventually gained access to Cisco's corporate network, resulting in data theft. |
| March 2024 | Apple Users | A campaign targeted Apple users with repeated password reset prompts, causing MFA fatigue. Victims received numerous prompts on their devices, and in some cases, attackers followed up with spoofed calls pretending to be Apple support, attempting to extract verification codes. |
| 2022 | Microsoft | Attackers used MFA fatigue techniques to breach Microsoft accounts by sending numerous MFA push notifications to users. This method exploited users' frustration or inattention, leading some to approve the unauthorized access requests. |
| 2022 | Okta | The Lapsus$ group targeted Okta by leveraging MFA fatigue attacks. They gained access to a third-party contractor's account by sending repeated MFA requests, eventually leading the user to approve one and compromising Okta's internal systems. |
Table 2: Real-World Examples of MFA Fatigue Attacks
These real-world prompt bombing examples show that MFA fatigue attacks are growing, leading to data breaches, operational downtime, and financial losses.
How to Defend Against MFA Fatigue Attacks
Implementing the right strategies can reduce the risk of MFA fatigue attacks. Here are key defenses:
Implement Robust Security Awareness Training
Educating employees about MFA fatigue attacks is crucial. Incorporate training that covers:
- How MFA works and the risks associated with push notifications.
- Real-world scenarios to help employees recognize suspicious MFA requests.
- Best practices for responding to repeated MFA prompts.
Explore comprehensive security awareness training to reduce human risk factors.
Use Number Matching and Biometric MFA
Instead of basic push notifications, use number matching or biometric MFA. Number matching requires users to enter a code displayed on their device, making it harder for attackers to exploit fatigue. Multi-factor authentication with biometrics adds an additional layer of security.
Monitor and Respond to MFA Bombing
Deploy systems that can detect repeated MFA requests and flag unusual activity. Email incident response tools can help quickly identify and mitigate potential attacks.
Implement Time-Based MFA Lockouts
Enforce policies that lock out accounts temporarily after multiple failed MFA attempts. This reduces the window of opportunity for attackers to overwhelm users with requests.
How Keepnet Helps Combat MFA Fatigue Attacks
Keepnet provides organisations with the tools and strategies needed to defend against MFA fatigue attacks. By combining proactive measures and employee-centric solutions, Keepnet helps organisations strengthen their multi-factor authentication (MFA) practices and reduce human error vulnerabilities.
Security Awareness Training
Keepnet's tailored security awareness training programs educate employees on recognising and responding to MFA fatigue attacks. Through outcome-driven metrics, such as Protection Level Agreements (PLAs) and measurable Security Behavior and Culture Programs, employees gain practical skills to identify repeated MFA prompts, securely handle suspicious login requests, and avoid unauthorized approvals.
MFA Phishing Simulation
Keepnet’s MFA phishing simulation tests how employees respond to real-world attack scenarios. This helps organizations identify vulnerabilities, improve user awareness, and create a security culture.
Incident Response Automation
Keepnet’s Incident Response helps you quickly detect suspicious emails and mitigate cyber risks. Keepnet's Incident Response Automation empowers organizations to swiftly detect and mitigate cyber risks posed by suspicious emails.
By leveraging advanced AI-powered tools and integrating with popular email platforms like Office 365, Google Workspace, and Exchange, it significantly reduces the average response time from hours to minutes.
The platform automates threat analysis, quarantines malicious emails, and facilitates employee reporting through the Phishing Reporter add-in, fostering a proactive security culture.
- Threat Sharing Platform: Keepnet's Threat Sharing product enables organizations to collaborate and share threat intelligence about MFA fatigue attacks. By leveraging real-time insights, companies can identify emerging attack patterns, enhance detection, and proactively defend against evolving threats.
Watch the Youtube video below to learn more about Keepnet Human Risk Management:
SHARE ON