skip to main content
4.7/5
Customers rate us on G2
See our reviews on G2.

Best practices to prevent MFA fatigue and reduce attack susceptibility

CategoryData Loss Prevention
Lexie Taylor-East, Content Marketing Manager
ByLexie Taylor-East
Date
Read time

Multi-Factor Authentication (MFA) has become a gold standard in cyber security, acting as an essential layer of security. Even if someone’s password is compromised, the extra authentication makes it much harder for unauthorised individuals to gain access. It's not a silver bullet, but it often serves as the final defence.

Yet, a new challenge looms—MFA fatigue attacks. Here we’ll cover how IT professionals and cyber security experts can tackle this risk. Discover why MFA fatigue happens, how cybercriminals exploit this phenomenon, and the best practices to minimise vulnerability to such attacks.


Understanding MFA and its role in cyber security

What is Multi Factor Authentication?

Multi-Factor Authentication (MFA) is a security mechanism that requires individuals to provide two or more separate forms of identification to verify their identity.

Types of authentication factors: 

  • Something you know: Knowledge factors, such as passwords or identification numbers, which a user must remember and enter to access a system.

  • Something you have: Possession-based factors, such as a smartphone or a security token, which the user must physically possess to authenticate.

  • Something you are: Biometric factors, like fingerprints or facial recognition, that rely on unique physical attributes for identification.

Why is MFA important? 

MFA is an indispensable part of defence-in-depth strategies. Passwords can be easily compromised, but by adding multiple layers of authentication, it becomes significantly more difficult for unauthorised individuals to access critical systems or sensitive data. 

The rise of MFA fatigue and what that means for you 

What is MFA fatigue?

Multi-factor authentication (MFA) fatigue occurs when people are overwhelmed by frequent MFA prompts, leading to frustration and potential security lapses. This constant need for verification can annoy users, causing them to seek shortcuts that might compromise security.

While MFA is a strong security measure, excessive prompts can cause employees to become complacent. If bombarded with requests, they may start seeing MFA as a routine nuisance rather than a vital security step. Over time, this 'MFA fatigue' can lead to careless behaviour, like automatically approving prompts without checking their legitimacy.

Additionally, MFA fatigue can create opportunities for cyber attackers. For instance, attackers might exploit this by mimicking real MFA prompts to trick employees into sharing login details or approving unauthorised requests—a tactic known as an MFA fatigue attack.

A Multi-factor authentication (MFA) fatigue attack, also known as MFA bombing or MFA spamming, is a cyber attack where the attacker repeatedly sends MFA requests to a victim, hoping to exhaust them into approving access out of frustration.

What is the goal of an MFA fatigue attack?

The typical sequence of an MFA fatigue attack aims to breach sensitive accounts and access critical data.

1. Gain credentials: An MFA attack begins when an attacker obtains a victim’s credentials, often via phishing, social engineering, or the dark web. 

2. Trigger MFA prompts: Using the stolen credentials, the attacker sends an MFA prompt to the target, asking them to confirm their identity with something they own, like a mobile phone.

3. Relentless prompting: If the target doesn't immediately accept the prompt, the attacker sends more prompts to create "fatigue". The attacker may send the notifications over email, text message, or desktop notification, but they're usually sent to the user's authenticated mobile device. 

4. Access gained: Once the user accepts the prompt, the attacker gains access to their account and any apps or assets protected by MFA.

Attackers may also heighten stress by creating a narrative, such as sending spam emails warning of a data breach and urging immediate action. 

MFA fatigue attack examples

In a MFA fatigue attack simulation run using CultureAI in 2023, it was found that 31% of employees accepted an unsolicited MFA request.

MFA fatigue attacks have been also central to several high-profile cyber security incidents, here are a couple of notable cases: 

Uber (September 2022)

Attackers accessed Uber's internal Slack server and vulnerability reports by sending repeated approval requests to a contractor, leveraging MFA fatigue. The swift response limited the attack's impact.

Cisco (May 2022): 

In 2022, an attacker breached Cisco’s corporate network, successfully stealing data by employing social engineering tactics to bypass MFA. This breach involved a combination of voice phishing and inducing MFA fatigue, ultimately compromising Cisco's network. The Yanluowang ransomware group specifically targeted an employee's work credentials linked to a personal Google account. Cisco has since advised enhancing employee education regarding MFA security practices.

How to prevent MFA fatigue attacks 

To effectively combat MFA fatigue among employees, it's important to embrace strategies that not only enhance security but also respect user comfort and convenience. 

Here are some practical strategies you can implement to achieve this balance:

Implement user-friendly MFA solutions 

Adopting user-friendly MFA solutions can significantly reduce fatigue. Choose methods that are easy to use and integrate seamlessly into users' daily routines. For example, biometric authentication is quick and unobtrusive, offering high security with minimal effort for employees.

Educate employees on the importance of MFA

Ensure employees understand why MFA is essential and how to use it effectively. It’s crucial to provide targeted coaching and run MFA attack simulations. These simulations help you to proactively identify vulnerabilities and offer specific coaching to improve employee preparedness. This way, the risk of falling victim to real MFA attacks is minimised.

Utilise adaptive authentication

Adaptive MFA adjusts the level of authentication required based on the context of the login attempt. Factors like location, device, and behaviour can trigger different authentication methods. This reduces unnecessary prompts while maintaining high security.

Automatically detect anomalies 

By continuously monitoring user activity, you can identify anomalies and potential indicators of MFA fatigue. Human Risk Monitoring allows you to track employee behaviour and spot excessive authentication attempts or unusual access patterns, helping to prevent possible security breaches.

‍Protecting against MFA fatigue attacks with CultureAI 

Remember, the goal of MFA is to provide an additional layer of security for your systems and data. Its effectiveness hinges on correct implementation and employees' comprehension of its significance. Prioritise user-friendly solutions, continuous education, adaptive MFA, and advanced risk detection to boost security without overwhelming employees.

It's crucial to identify gaps in MFA deployment and instances where employees might bypass MFA protocols. CultureAI allows you to proactively detect and address potential MFA vulnerabilities in real time, ensuring adherence to security best practices. 

CultureAI also provides MFA attack simulations and targeted coaching, which help uncover weaknesses and enhance employee readiness, thereby mitigating the risk of MFA fatigue attacks.

Insights

Nurturing a Resilient Security Culture: An Insider’s Perspective

Discover the transformative power of security culture as we explore its three phases: from traditional training methods, through the integration of real-time testing, to the adoption of trigger-based interventions.

Human Risk Management

More than a security alert: A guide to nudges

Security nudges not only help identify risks that might otherwise go unnoticed but also dramatically reduce the time needed to resolve incidents—from days to mere minutes, or even seconds.