Hackers have some pretty elaborate ways they trick users to gain access to their accounts, from phishing emails to fraudulent Google Ads1. However, their latest method of choice takes a blunter approach.
MFA Fatigue attacks happen when a hacker already has an individual’s login credentials for a system that requires simple multifactor authentication "MFA"2 to sign in. (Simple MFA means the user receives a notification via SMS (text), voice message, or push notification of a login attempt which the user can then approve or deny with the press of a button.) The hacker will submit numerous MFA requests to bombard the end user with login notifications. Unlike phishing emails or phony ads, the goal is not necessarily to deceive the user.
Instead, there are three desirable outcomes hackers are hoping to achieve:
1. The end user assumes a system malfunction and approves the login to make the notifications stop.
2. The end user gets overwhelmed by the barrage of MFA requests and approves the login to make the notifications stop.
3. The end user attempts to deny the login, but hits the wrong button, and accidentally approves the login.
How to Protect Against MFA Fatigue Attacks
Educate your team
As with any cybersecurity risk, the first step is education. Understanding what MFA Fatigue is allows your employees to more easily identify an attack while it’s happening. This will reduce the likelihood of users mistaking the attack for a glitch in your system.
Don't share accounts
One of the most important steps an organization can take to fend off MFA Fatigue, or any cybersecurity threat, is avoiding shared accounts. Assigning a unique account to each user provides them with the peace of mind that any login attempts not initiated by them came from a bad actor and should be denied.
Don't just use simple MFA
Make sure everybody in your organization utilizes a verification method such as number matching3, rather than simple MFA. With number matching, users are prompted to enter a verification code that is displayed on the login screen. Without entering that code, users are unable to approve the login request.