MFA attacks work by exploiting an organisation's authentication process for malicious gain. Many modern workplaces will have some kind of MFA application- think "Microsoft Authenticator” or "Google Authenticator"- where additional factors are required alongside a user's login credentials to authenticate their identity.
While these multi-factor authentication processes are overall largely beneficial for identity verification and sign-in security, employee complacency can unwittingly provide malicious actors with a sneaky entry point into internal employee systems, breaching sensitive data.
What is MFA fatigue?
A multi-factor authentication (MFA) fatigue attack is a social engineering tactic employed by malicious actors to gain unauthorised access to sensitive data and user accounts. The intention behind this attack method is to coerce users into confirming their identity through relentlessly spamming MFA push notifications to the victim's devices until they finally accept the authenticator app request out of complacency or frustration.
Why is MFA fatigue dangerous?
Unlike other, more technically complex cyberattack methods, the success of MFA fatigue attacks relies largely on employee fatigue, distraction, or complacency.
It's easy to get distracted by in-office responsibilities or overwhelmed by constant requests from colleagues and non-stop notifications from authenticator apps, making it entirely possible to accidentally approve a fraudulent MFA request. Malicious actors prey on exactly this kind of employee behaviour to launch their attacks.
Multi-factor authentication attacks are also particularly dangerous because they are difficult to identify in real-time. Once an attacker gains access, they will blend in with the user's identity to move around in your organisation's systems undetected. This can eventually compromise entire internal systems without businesses being aware, with the risk of further stolen credentials and compromised accounts as more legitimate users are unknowingly exploited.
How do MFA fatigue attacks work?
MFA attacks work by abusing MFA prompts to irritate or fatigue the victim into accepting authentication factors, in turn providing them with discreet access to sensitive data and internal systems.
Here's the general methodology of an MFA attack:
- Attackers use phishing tactics or credential stuffing to gain login credentials.
- Once they've acquired the victim's login credentials, hackers will attempt to log in to the target account. This triggers MFA notifications to be sent to the victim's desktop or mobile device.
- The attacker keeps MFA spamming the target user with to their registered devices. These relentless requests eventually get irritating, or exhausting, and oftentimes the victim will surrender to MFA fatigue and accept the login request.
- Once the user accepts the malicious MFA request, the attacker gains access to their internal network and can then steal and exploit sensitive company data. Because of how discreet this cyberattack method is, it can take a significant amount of time for security teams to identify and remediate the damage inflicted.
How can businesses prevent MFA fatigue attacks?
While navigating and preventing MFA fatigue attacks may seem overwhelming, it's important to recognise that there are measurable, actionable steps businesses can take to minimise the risk of exploitation.
Here are OnSecurity's top suggestions for building resilience against this menacing method of social engineering:
Limit authentication requests
Many reliable multi-factor authentication applications will give IT managers or dedicated identity teams the option to limit authentication requests for employees. Limiting authentication requests can prevent MFA fatigue attacks by reducing the likelihood of notification overloads, in turn also minimising the chance that users blindly approve requests out of annoyance or confusion.
Having a limited number of requests, for example, no more than three requests within an hour to a user's account, can also help both users and IT teams to identify potential attacks, blocking access swiftly.
Educate users
Employee education is the backbone of good cybersecurity. Whether it's an online course on strong authentication practices, a document created by your business detailing MFA proper use and policy, or an IT-team led meeting on how to identify the signs of a potential MFA fatigue attack, educating your team on the importance of MFA security is your best line of defence against this social engineering method that specifically exploits complacency and lack of awareness.
Monitor and test
The most effective way to prevent MFA fatigue attacks is through regular security testing and continuous social engineering assessment. Regular penetration testing helps businesses identify weaknesses in their existing MFA processes swiftly and effectively simulating real-world attacks, and assessing employees' responses to continuous illegitimate and repeated MFA requests.
Routine penetration testing enables businesses to proactively uncover weaknesses in their MFA processes by simulating real-world attack scenarios. This includes evaluating how employees respond to repeated illegitimate MFA requests- an essential part of understanding user behaviour under pressure.
By continuously testing defences, organisations not only validate the strength of their security posture but also improve user awareness and readiness. This strengthens the effectiveness of monitoring systems and helps distinguish between regular and suspicious authentication activity.
As a result, security teams are better equipped to detect abnormal patterns, such as repeated MFA prompts, and respond swiftly and decisively to potential threats.
Protect your business with OnSecurity
Pentesting doesn't simply highlight existing problems in your authentication processes. Penetration testing can also help to enforce future policies or training protocols by revealing weaknesses in user behaviour or education, minimising the long-term risk of cyberattacks.
OnSecurity's expert penetration testing services can empower your organisation to achieve cyber-resilience. With expert-led, CREST-accredited testing, our AI-amplified platform simplifies and schedules your pentesting programme with unparalleled efficacy.
Got a query? Contact us today and find out how we can best support your journey to offensive cyber-resilience.