As businesses, their employees, and users in general become more educated and savvy to the methods bad actors are using, they continue to evolve and find new ways to access that sensitive data and information.
Multi-factor authentication offers a big security boost against unauthorized access, but it also gives rise to one of the latest threats - MFA fatigue.
What is MFA Fatigue?
MFA relies on multiple types of authentication factors for an additional layer of security and for proof of user identity. Two-factor authentication is one of the most common forms of MFA that requires two separate elements to authenticate - typically a users credentials, and an app that presents a follow-up allow/deny prompt or a code to complete the login process.
An MFA fatigue attack, also known as MFA bombing or spamming, is a social engineering cyberattack where the attacker repeatedly pushes authentication requests to the victims phone or authenticator app.
The goal of these attacks is to get the targeted user to confirm the request out of exasperation, and giving the attacker access to the protected system.
Types of Authentication Factors
As we've talked about before, MFA requires the verification of two or more types of authentication factors. These are divided into the following categories:
- Things you know - passwords, PINs, answers to security questions
- Things you have - authenticator apps, phones for receveing SMS/call verifications
- Things you are - biometrics like fingerprints, your voice, or your face
How Does an MFA Fatigue Attack Work?
The steps of an MFA fatigue attack unfold as follows:
Step 1. User Credentials and information are collected - bad actors obtain user credentials and other personal information through phishing attacks, data breaches, etc.
Step 2. Stolen credentials are used to send MFA push notifications - Bad actors attempt to login to a protected system using the stolen credentials repeatedly, which generates one MFA notifications after another.
Step 3. Victim gets tired of receiving push notifications - After receiving countless requests for verification, the victim eventually slips up and confirms their identity without double-checking if it is a legitimate request, thus allowing access to the protected system.
How to Secure Against an MFA Fatigue Attack
The best way to protect yourself against this type of attack is by taking the necessary steps that can strengthen your existing security parameters:
Tighten MFA Parameters to Prevent Attack
Security can always be increased. By using at least two factors of authentication, it is more difficult for the attacker to gain access. You can also limit the amount of unsuccessful attempts that are allowed. This will stop the user from getting an abundance of push notifications.
Spread Security Awareness
Educating users on MFA fatigue, other popular and best practices can help reduce the chances of falling victim to an attack.
Implement System Hardening
Hardening involves securing a system by minimizing attack surfaces. Some ways to do so include keeping applications up to date, eliminating default passwords or configurations, and applying the principle of least privilege.
Prioritize Vulnerabilities for Remediation
Regularly reviewing systems to identify gaps or vulnerabilities, and keep up with changes in the security landscape to help anticipate the types of attacks that could potentially occur so you aren't caught off guard when workarounds like MFA fatigue pop up.
By taking the necessary steps outlined above, businesses can continue to keep their systems safe from hackers, protecting their data, users, and clients from the worst.