MFA Fatigue Attack

What Is an MFA Fatigue Attack?

A multi-factor authentication (MFA) fatigue attack, also known as MFA bombing or MFA spamming, is a social engineering cyberattack where the attacker repeatedly sends MFA requests to the victim’s email, phone, or other registered devices. This attack aims to coerce the victim into confirming their identity via notification, which would authenticate the attacker’s attempt to access the victim’s account or device.

This is part of a series of articles about insider threats.

How MFA Fatigue Works

MFA fatigue attacks are a form of social engineering. To execute an MFA fatigue attack, the attacker must first access the victim’s login credentials, typically through a phishing email, a credential stuffing attack, or purchasing them on the dark web. Once the attacker has obtained the victim’s login credentials, they can attempt to log in to the victim’s account or device. If the account has MFA enabled, the attacker will be prompted to provide the second-factor authentication code.

To trigger the MFA push notifications, the attacker enters the victim’s email or phone number as the registered device for MFA. The attacker then repeatedly sends MFA requests to the victim’s registered devices, typically with a frequency that is designed to overwhelm the victim’s ability to properly verify the requests.

The victim may receive multiple MFA requests in quick succession, with the attacker using various social engineering tactics to make the victim feel under pressure to approve the requests quickly. For example, the attacker may claim that there is suspicious activity on the account or that failure to approve the requests will lock the account.

If the victim falls for the attacker’s tactics and approves the MFA requests without properly verifying that they are legitimate, the attacker gains access to the victim’s account or device. This can allow the attacker to steal sensitive information, carry out fraudulent transactions, or install malware on the victim’s device.

6 Ways to Protect Against MFA Fatigue Attacks

1. Enable Additional Context

Enabling additional context is one way to protect against MFA fatigue attacks. Providing users with more information about the authentication request can help them to determine whether it is legitimate. Here are some ways to enable additional context for MFA:

Geolocation: Using the user’s geolocation can help verify the user’s location and make it more difficult for attackers to carry out MFA fatigue attacks from a different location. This can be particularly useful for mobile devices, where the user’s location can change frequently.
Device fingerprinting: Device fingerprinting is a technique that can help to identify the user’s device based on its unique characteristics, such as the device’s browser configuration, screen resolution, and operating system. It can help prevent attackers from using different devices to perform MFA fatigue attacks.
Behavioral analytics: Analyzing the user’s behavior patterns, such as their typical login times, the type of device they use, and the locations they log in from, can help to determine whether an authentication request is legitimate or not. This can be particularly useful for detecting MFA fatigue attacks, as attackers typically deviate from the user’s normal behavior patterns.
Session history refers to a record of the user’s previous login attempts and the devices used. Reviewing the user’s session history can help identify patterns of suspicious behavior and prevent MFA fatigue attacks.

2. Adopt Risk-Based Authentication

Here are some ways to adopt risk-based authentication for MFA:

Risk scoring: This involves assigning a risk score to each authentication request based on various factors, such as the user’s location, device, and behavior patterns. The higher the risk score, the more authentication factors are required to verify the user’s identity.
Adaptive authentication: This method uses real-time risk analysis to determine the level of authentication required for each login attempt. This can involve analyzing the user’s behavior patterns, the device being used, and the location of the login attempt.
Dynamic policy management: Dynamic policy management involves adjusting the authentication policy based on the current risk level. For example, if the risk level is high, the authentication policy may require additional authentication factors or block the login attempt entirely.

3. Implement the FIDO2 Authentication

FIDO2 is an open authentication standard designed to provide strong authentication without passwords. FIDO2 authentication can be implemented using hardware security keys like USB or NFC. These keys store the user’s private key and use public-key cryptography to verify the user’s identity.

This involves generating a public key and a private key for each user. The private key is stored on the user’s device or hardware security key, while the public key is stored on the authentication server. When the user logs in, the server sends a challenge to the user’s device, signed with the private key. The signed challenge is then returned to the server, which verifies the signature using the public key.

4. Disable Push Notification as a Verification Method

MFA push notifications are designed to be easy to use, as users must click “Yes” or “Allow” to approve login attempts. However, this simplicity also makes it easier for attackers to overwhelm users with fraudulent MFA requests.

To protect against MFA fatigue attacks, it is recommended to disable push notifications as a verification method in your authenticator app. Instead, use alternative verification methods such as:

Number-matching: Involves matching a unique code or PIN provided by the authentication app with the code displayed on the screen during the login process.
Challenge and response: The app provides a random challenge or question the user must answer to verify their identity.
Time-based one-time passwords: The app generates a unique code that changes every few seconds, which users must enter to verify their identity.

The advantage of these alternative verification methods is that they require users to participate actively in the authentication process and cannot be approved by accident. Disabling push notifications and using these alternative verification methods can help prevent MFA fatigue attacks and improve the overall security of MFA.

5. Improve Security Awareness Around MFA

Educating users on the risks of MFA fatigue attacks and providing guidance on verifying MFA requests can help reduce the likelihood of successful attacks. Here are some ways to improve security awareness around MFA:

User education: Provide users with education and training on MFA, including the risks of MFA fatigue attacks and how to verify the authenticity of MFA requests. This can include simulated phishing exercises, which can help to raise awareness of the tactics used by attackers and teach users how to recognize and avoid them.
Simple language: Use simple language to explain the risks and benefits of MFA and provide clear instructions on how to set up and use MFA. Avoid using technical jargon or complex language, which can confuse users and reduce the effectiveness of security awareness programs.
Good password hygiene: Encourage users to use strong, unique passwords and avoid reusing passwords across multiple accounts. This can help to prevent attackers from using stolen passwords to carry out MFA fatigue attacks.
Monitor activity: Regularly monitor user accounts for suspicious activity, such as multiple failed login attempts or unusual login locations. This can help to detect MFA fatigue attacks and other types of cyber attacks before they cause significant damage.
Review and update: Regularly review and update MFA settings, such as registered devices and notification settings, to ensure they are optimized for security and usability. This can help to prevent MFA fatigue attacks and other types of cyber attacks.

6. Protecting Against MFA Fatigue Attacks with an Advanced SIEM Platform

Protecting against MFA fatigue attacks requires a proactive approach, which can be achieved by combining advanced SIEM (Security Information and Event Management) solutions with user and entity behavior analytics (UEBA) and other security best practices. Advanced SIEM platforms provide real-time monitoring, threat detection, and incident response capabilities to help organizations detect and mitigate MFA fatigue attacks.

Here are some ways to protect against MFA fatigue attacks using SIEM:

Real-time monitoring and alerting: SIEM systems monitor your environment for suspicious or abnormal behavior, such as repeated failed login attempts or unusual access patterns. Security teams can quickly investigate and mitigate potential MFA fatigue attacks by setting up real-time alerts.
User and Entity Behavior Analytics (UEBA): SIEMs use UEBA to establish baseline credential and device behavior patterns and identify deviations from the norm. This helps detect any attempts to exploit MFA fatigue by identifying unusual login patterns or account usage.
Machine learning threat detection: Many SIEMs utilize machine learning to identify complex attack patterns and detect threats that traditional, rule-based systems might miss. This capability can help security teams detect and prevent MFA fatigue attacks more effectively.
Incident response and automation: Most advanced SIEM platforms often include orchestrated incident response and automation capabilities, allowing security teams to respond quickly to potential MFA fatigue attacks by isolating affected accounts, resetting credentials, or triggering other remediation actions.

By employing SIEM capabilities and implementing other security best practices, organizations can effectively protect against MFA fatigue attacks and maintain a secure and robust authentication environment.