Multi-factor authentication (MFA) is a widely used security strategy that requires the use of two or more different verification factors to authenticate the user. Unfortunately, as MFA has become more prominent across the business landscape, it’s increasingly become vulnerable to exploitation by cyber criminals thanks to MFA fatigue.
MFA is more secure than the simple combination of a username and password, adding a second authentication layer, and it’s increasingly required for all kinds of platforms from online banking to business systems. You still need a username and password, and when these are entered correctly, a message is set to your mobile phone asking you to approve the login attempt. Only when approval is given, can you log in.
What is MFA fatigue?
MFA is both easy to use and offers more protection of critical assets, meaning it’s been increasingly adopted by a number of services. In fact, it’s difficult to avoid encountering some form of two-factor authentication (2FA) or MFA in digital life.
However, everybody must now handle a growing number of push notifications and codes, and weariness is setting in. While MFA is undoubtedly more secure than not using it, the process can be tiring, where users onc only used a username and password combination locked away in a password manager. Every time a user wants to log in to their bank, for example, or online productivity suite, or their work email, they must approve their own login attempt. Having to do this can become irritating and tedious. This is what cyber criminals hope to take advantage of.
What does MFA fatigue look like?
MFA often uses a notification sent to a phone, called a ‘push notification’. It can also come in the form of an SMS code, or an authenticator app. In the case of the former, though, a message will alert the user to an attempt to log in, and ask them to ‘allow’ or ‘deny’ the login by tapping a button. Alternatively, the push notification might require biometric authentication, or a one-time passcode. Nevertheless, these button-based types of notifications are the ones that offer cyber criminals their greatest opportunities.
The frustration of push notifications piling up when the user has already gone through the first login stage in a different way – for example through their web browser – can start to feel tedious. All it takes is one person to feel so annoyed at receiving yet another notification, that they hit the approve button without really thinking about it or meaning to. This is what cyber criminals waiting in the wings are banking on.
How do MFA fatigue attacks work?
A hacker seeking access to somebody’s account can submit a username and password combination to generate a push notification to their smartphone. These credentials can be obtained in various ways including running through lists of alphanumeric combinations stored in a dictionary alongside guessed passwords, or they can use actual credentials obtained through insider leaks, theft or phishing.
As soon as the correct username and password combination is used, the push notification is triggered. This won’t happen just once. Automated hostile systems make multiple attempts, each one generating a push notification in a brute force attack. This is in the hope the victim hits the ‘approve’ button out of sheer fatigue, annoyance or carlessness.
Cyber criminals rely entirely on their victim authenticating the login attempt. While some users will be diligent all the time, hackers only needs a tiny fraction of users to grant access. In the end, MFA fatigue attacks rely on users making mistakes.
How can you defend against MFA fatigue attacks?
While MFA help keep systems secure, the vulnerability lies with users succumbing to fatigue and tapping an approval notification out of frustration. Businesses, however, can take a number of steps to minise these errors and mitigate the risks.
Give users the agency to report attacks
Firstly, let users know that receiving multiple push notifications is very likely the action of a cyber criminal, and that these notifications should be reported to the IT security team. This can make the user feel they have some agency, and allows them to take positive action.
The top 12 password-cracking techniques used by hackers
Once informed that a brute force attack is in progress, the IT security team can change the user’s password, and this will mean that a hacker no longer has a working username and password, so they can’t trigger push notifications.
Urge staff to change their passwords
It’s also wise to encourage users to change their passwords if even a single push notification shows a login attempt from an unfamiliar geographical location, or an unfamiliar device. If the user doesn’t recognise where the login attempt is coming from, it may well not be a legitimate login attempt.
Employ an alternative MFA approach
Using an alternative form of MFA, such as a code issued by an authenticator app, would avoid this issue altogether. There are a number of alternatives available to the push notification, including a one-time code delivered by text message, or biometric authentication. Setting a limit to sign-in requests that can generate a push notification might also be helpful, with systems requesting a password reset if that limit is reached.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
PyPI attack: Targeting of repository 'shows no sign of stopping'News Greater collaboration and understanding of attackers’ tactics is key to mitigating open source security threats
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacksNews The added layer of complexity aims to keep social engineering at bay
-
Capita's handling of cyber attack shows companies still fail at breach reportingAnalysis Capita initially told customers there was “no evidence” of data having been compromised in the March cyber attack
-
As Google launches passwordless authentication for all, what are the business benefits of passkeys?News Google follows Apple in its latest shift to passwordless authentication, but what are the benefits?
-
Malware being pushed to businesses by search engines remains a pervasive threatNews High-profile malvertising campaigns in recent months have surged
-
There's only one way to avoid credential stuffing attacksOpinion PayPal accounts were breached last year due to a credential stuffing attack, but can PayPal avoid taking responsibility?
-
Google Authenticator 2FA update accused of making service less secureNews Lack of end-to-end encryption in code backup has some developers worried
-
Five things to consider before choosing an MFA solutionIn-depth Because we all should move on from using “password” as a password
