MFA fatigue attacks: What they are & how to respond
Cybersecurity is a top priority for businesses of all sizes. With new threats popping up every day, organizations must stay vigilant to protect their sensitive data and systems from unauthorized access. One of the most effective ways to secure user accounts is through multi-factor authentication (MFA).
MFA adds an extra layer of security by requiring users to provide two or more forms of identification to access an account. However, even this robust security measure is not foolproof. Cybercriminals have found a way to exploit human nature through a technique called MFA fatigue attacks.
MFA fatigue attacks have emerged as one of several tactics used in recent cybersecurity incidents, contributing to sophisticated breaches at companies like Uber and Cisco alongside other exploitation techniques.
These attacks can have devastating consequences, from data breaches to financial losses. In this article, we take a look at what MFA fatigue is, how it works, and most importantly, how to defend against it.
What is MFA fatigue?
MFA fatigue, also known as MFA bombing or MFA exhaustion, is a type of social engineering attack that aims to trick legitimate users into accepting malicious MFA requests. The attacker's goal is to wear down the user's vigilance by bombarding them with a flood of MFA prompts, hoping they will eventually accept one out of frustration or distraction.
Here's a typical scenario: A cybercriminal gains access to a user's username and password through methods like phishing, brute force attacks, or compromised credentials from data breaches. However, when they try to log in, they are prompted for a second form of authentication, such as a one-time code sent via SMS or a push notification on an authenticator app.
Since the attacker doesn't have access to the user's phone, they can't complete the login. Instead, they repeatedly attempt to log in, triggering a barrage of MFA requests to the user's device. The user gets annoyed by the constant notifications and eventually accepts one, thinking it will make them stop. And just like that, the attacker is in.
MFA fatigue attacks exploit the human element of cybersecurity. They rely on the fact that people can get frustrated, distracted, or simply make mistakes. By repeatedly prompting for MFA, attackers wear down users' defenses until they find a weakness to exploit.
How do MFA fatigue attacks work?
MFA fatigue attacks typically follow a predictable pattern. Here's a breakdown of the stages:
- Reconnaissance: The attacker gathers information about the target, such as their username, email address, and any publicly available personal details. They may use social media, data brokers, or phishing campaigns to collect this intel.
- Initial access: Using the information gathered, the attacker attempts to log into the user's account. This could be through a stolen password, a brute-force attack, or credential stuffing (trying username/password combinations from other data breaches).
- Repeated MFA prompting: The attacker repeatedly initiates new login attempts, each generating a fresh MFA request to the user's device. Each attempt creates a new push notification on an authenticator app, SMS code, or hardware token prompt.
- User exhaustion: The user, who is likely not expecting these repeated prompts, becomes annoyed or worried. They may be in the middle of a task, in a meeting, or even trying to sleep. After a certain number of prompts, the user may accept one just to make them stop, assuming it's a glitch or they accidentally requested it.
- Unauthorized access: If the user accepts the malicious MFA prompt, the attacker gains access to their account. They can then steal sensitive data, make fraudulent transactions, or use the account as a launching point for further attacks.
The success of an MFA fatigue attack depends on the attacker's persistence and the user's vigilance. Some attackers use automated tools to generate a large number of MFA requests quickly, increasing the chances of user error. Others personalize the attack by spoofing a legitimate MFA prompt or using social engineering tactics to create a sense of urgency.
Consequences of MFA fatigue attacks
The consequences of an MFA fatigue attack can be severe and long-lasting. Here are some of the potential impacts on your organization:
1. Unauthorized access and data breaches
The most obvious consequence of an MFA fatigue attack is unauthorized access to your systems and data. Once an attacker gains entry using a compromised account, they can move laterally through your network, escalate privileges, and exfiltrate sensitive information.
Data breaches can have devastating effects on your business, including:
- Financial losses from theft, fraud, and recovery costs
- Reputational damage and loss of customer trust
- Legal liabilities and regulatory penalties
- Operational disruption and downtime
- Intellectual property theft and competitive disadvantage
According to IBM's Cost of a Data Breach Report 2024, the average cost of a data breach reached an all-time high of $4.88 million. MFA fatigue attacks contribute to these costs by exploiting human behavior in MFA implementations that lack additional safeguards. However, MFA remains one of the most effective defenses against unauthorized access when properly configured with protections like number matching, rate limiting, and contextual authentication.
2. Compliance violations and penalties
Many industries have specific regulations and standards for protecting sensitive data, such as HIPAA for healthcare, PCI DSS for payment card processing, and GDPR for personal data in the EU. MFA fatigue attacks can lead to violations of these requirements, resulting in hefty fines and legal action.
For example, under GDPR, companies can face penalties of up to €20 million or 4% of their global annual revenue, whichever is higher, for failing to implement appropriate technical and organizational measures to protect personal data. MFA fatigue attacks exploit weaknesses in these measures, putting companies at risk of non-compliance.
3. Business disruption and reputational harm
Beyond the direct costs of a data breach, MFA fatigue attacks can also cause significant business disruption and reputational damage. If an attacker gains control of a critical system or service, they can halt operations, delete data, or hold your business for ransom.
The downtime and recovery efforts can be costly, both in terms of lost productivity and customer goodwill. If the attack becomes public knowledge, it can also tarnish your brand reputation and erode customer trust. In some cases, the reputational harm can be irreparable, leading to lost business and difficulty attracting new customers.
How to protect against MFA fatigue attacks
Defending against MFA fatigue requires a combination of technical controls and user education. Here are some best practices to prevent and respond to these attacks:
1. Enable number matching for MFA prompts
Number matching is an additional security feature usually available in many push notification and authenticator app-based MFA systems. When enabled, it displays a unique code on both the MFA prompt and the authentication screen. The user must confirm that the codes match before accepting the request. This helps prevent users from blindly approving MFA prompts without verifying their legitimacy.
For example, when a user receives an MFA push notification on their phone, they will see a 2-digit number like "42". To accept the request, they must also see "42" on the login screen in their browser. If the numbers don't match, the user knows the request is fraudulent.
2. Use push notifications sparingly
While push notifications are a convenient form of MFA, they are also the most vulnerable to fatigue attacks. Unlike OTPs or hardware tokens, push notifications only require a single tap to approve, making it easy for users to accidentally accept them.
Consider limiting the use of push notifications to low-risk scenarios or combining them with number matching for added security. Encourage users to use more phishing-resistant methods like hardware security keys (like YubiKey) or authenticator apps that require manual entry of a code.
3. Implement rate limiting and lockout policies
To prevent attackers from spamming users with MFA requests, set up rate limiting and account lockout policies. Rate limiting caps the number of MFA attempts allowed within a certain timeframe, such as 5 attempts per 30 minutes. If the limit is exceeded, the account is temporarily locked to prevent further attempts.
Account lockout policies block access after a certain number of failed MFA attempts, such as 10 failures in a row. This prevents attackers from repeatedly guessing MFA codes or flooding users with prompts. The account can be unlocked by an administrator or through a self-service process that verifies the user's identity.
4. Monitor for suspicious MFA activity
Implement monitoring and alerting systems to detect and respond to unusual MFA activity. This could include a high volume of MFA requests from a single IP address, multiple failed attempts followed by a successful one, or out-of-hours login attempts.
Establish a baseline of normal MFA behavior for your organization and set thresholds for what constitutes suspicious activity. When an anomaly is detected, trigger an alert to your security team for investigation. You may also want to automatically block the suspicious IP address or require additional verification steps for the affected user.
5. Use adaptive authentication policies
Adaptive authentication uses a wide range of risk-based factors to dynamically determine the appropriate level of MFA for each login attempt. These factors typically fall into two main categories:
User behavior signals include device characteristics and history, geographic location and typical travel patterns, time of access relative to usual patterns, previous authentication methods used, and application access patterns. Network and technical signals encompass IP address reputation and history, VPN or proxy usage, browser fingerprinting, network characteristics, and known malicious activity indicators.
For example, if a user typically logs in from a corporate office during business hours using a company-issued laptop, that would be considered a low-risk scenario. The user may only need to enter a password to gain access. However, if the same user tries to log in from an unfamiliar country at 2 a.m. using a new device, through a VPN with a suspicious IP address, that would trigger a high-risk score and require additional forms of MFA.
Adaptive authentication helps balance security and usability by applying MFA judiciously based on context. This reduces friction for legitimate users while still providing protection against unauthorized access attempts.
6. Educate users on MFA fatigue
User awareness is a critical component of MFA fatigue defense. Educate your employees, partners, and customers on what MFA fatigue is, how to recognize the signs, and what to do if they suspect an attack.
Teach users to be cautious of unexpected MFA prompts, especially if they haven't recently tried to log into an account. Encourage them to verify the legitimacy of the request by checking the number matching code or contacting your IT support team. Remind them never to accept an MFA prompt if they didn't initiate the login attempt.
Include MFA fatigue scenarios in your security awareness training programs and phishing simulations. Regularly reinforce best practices through newsletters, posters, and other communication channels.
7. Have an incident response plan
Despite your best efforts, an MFA fatigue attack may still succeed. Having a well-defined incident response plan can help you quickly detect, contain, and recover from a breach.
Your plan should include procedures for:
- Identifying and verifying the compromised account(s)
- Locking down the account(s) to prevent further unauthorized access
- Investigating the scope and impact of the breach
- Containing the damage by isolating affected systems and data
- Eradicating the attacker's presence and remediating vulnerabilities
- Restoring normal operations and monitoring for signs of re-entry
- Notifying affected parties and regulators as required by law
- Conducting a post-incident review to identify lessons learned
Regularly test and update your incident response plan to ensure it remains effective against evolving threats like MFA fatigue.
Protect your business with Rippling
Preventing and responding to MFA fatigue attacks requires a comprehensive approach to identity and access management (IAM). You need a solution that can secure user authentication, enforce adaptive policies, monitor for threats, and automate response actions.
That's where Rippling excels. Rippling is an all-in-one workforce platform that unifies IAM, device management, and security automation into a single system of record. With Rippling, you can:
- Enforce strong MFA policies across all your apps and devices
- Implement phishing-resistant MFA methods like YubiKeys and Duo
- Set adaptive authentication rules based on user risk profiles
- Monitor user behavior and detect anomalous activity in real-time
- Automate user provisioning and deprovisioning workflows
- Manage device security policies and software updates from one place
- Investigate and respond to incidents with detailed audit logs
Rippling's IAM solution integrates with hundreds of popular apps and systems, including Office 365, Google Workspace, AWS, and Salesforce. You can easily enforce consistent access policies and MFA requirements across your entire tech stack, without manual configuration or code.
By consolidating IAM and security management into a single platform, Rippling helps you reduce complexity, improve visibility, and strengthen your defenses against threats like MFA fatigue attacks. You can rest assured that your user identities and data are protected by enterprise-grade security controls and 24/7 monitoring.
MFA fatigue FAQs
What does MFA stand for in IT?
In IT, MFA stands for multi-factor authentication. It refers to a security process that requires users to provide two or more forms of identification to access a system or application. These factors can include something the user knows (like a password), something the user has (like a hardware token), or something the user is (like a fingerprint).
What is MFA bombing?
MFA bombing, also known as MFA fatigue or MFA exhaustion, is a type of social engineering attack that attempts to overwhelm users with fraudulent MFA prompts in order to trick them into accepting one. The attacker repeatedly attempts to log in with stolen credentials, triggering a flood of MFA requests to the user's device. The goal is to wear down the user's vigilance until they accidentally approve a malicious request.
What is the solution to MFA fatigue?
Preventing MFA fatigue requires a combination of technical controls, user education, and proactive monitoring. Some effective solutions include:
- Implementing number matching for MFA prompts
- Using phishing-resistant MFA methods like security keys
- Setting rate limiting and account lockout policies
- Educating users on how to recognize and report MFA fatigue attempts
- Monitoring for anomalous MFA activity and automating response actions
- Enforcing risk-based authentication policies that adapt to user behavior
By layering these defenses and staying vigilant, organizations can reduce the risk of MFA fatigue attacks and protect their critical assets.
This blog is based on information available to Rippling as of November 20, 2024.
Disclaimer: Rippling and its affiliates do not provide tax, accounting, or legal advice. This material has been prepared for informational purposes only, and is not intended to provide or be relied on for tax, accounting, or legal advice. You should consult your own tax, accounting, and legal advisors before engaging in any related activities or transactions.
