Cyber Security & MFA Fatigue

In the world of cybersecurity, there’s a well-known saying: the industry is always on the defensive. As cybersecurity professionals raise their defences, attackers are busy finding ways to bypass them. It’s simply the way things work.

Attackers are now exploiting utilising the psychology of users……

A good example of this is multi-factor authentication (MFA), a security method that requires users to confirm their identity through multiple means, such as a password, a code sent to their phone, or a fingerprint. While many are adopting MFA to safeguard their digital assets, cybercriminals are continuously refining their methods to bypass this crucial security measure.  Despite MFA being highly effective in preventing unauthorised access, it is not immune to exploitation, and human error remains a significant issue and has given rise to MFA Fatigue.

What is MFA Fatigue?

MFA fatigue attacks, also referred to as notification spamming or push bombing, exploit the victim’s psychological response to bypass security measures. MFA fatigue relies on manipulating human behaviour, making it a powerful attack vector.  In these attacks, cybercriminals overwhelm their target with a series of rapid-fire MFA prompts, hoping to frustrate or fatigue the user into approving one of the requests—thus granting access. Recognising that people have limited patience, especially when dealing with constant digital disruptions, attackers take advantage of this by bombarding the user persistently.  The victim may eventually approve the request simply to stop the incessant notifications, often misinterpreting it as a system glitch or minor error.

Social Engineering Tactics

Beyond fatigue attacks, cybercriminals also manipulate social engineering tactics. MFA fatigue is often used alongside social engineering—where an attacker, posing as IT support, urges the victim to approve the prompt to “fix an issue.”.

This combination of push spamming and social manipulation creates a scenario where the user/victim feels pressured to comply.

Cybercriminals are strategic, they know how to exploit vulnerabilities, and they time their MFA fatigue attacks for maximum effectiveness. Late at night or during busy periods, when users are less alert or more likely to prioritise convenience over caution giving prime opportunities for these attacks.  Some users may believe that repeated prompts are a sign of legitimacy, reinforcing the false idea that approving one of them will resolve the problem.

 MFA Fatigue attacks timeline….

Cybercriminals will first obtain user credentials using known methods such as phishing, brute force attacks or purchasing details on the dark web.  Our extra levels of security (MFA) provide a barrier preventing them from logging in.

The hacker then initiates a login attempt using the victim’s login credentials.  Known as MFA bombing, this is repeated, continuously, bombarding the user with multiple MFA approval requests.

Frustrated by the continual interruptions requesting approval, the user eventually gives in and approves one of the requests – unknowingly giving access to the cybercriminal.

Now inside your systems, the hacker can steal data and deploy ransomware.

So, here’s the question…. ‘Can Too Much Security Now Become a Problem?’

MFA fatigue is simply a natural progression of cybercriminal tactics—using psychology to target the human error factor rather than attempting to bypass the technology itself. Worryingly these attacks do not require a high level of skill, they do however rely on businesses over-relying on MFA.

The best line of defence is always training and awareness, whilst MFA is an excellent layer of protection for your business, it is just that – one layer of protection. Over-relying on it can create vulnerabilities that attackers will exploit.

This said, it’s important to avoid excessive user input security measures, as they can lead to frustration and MFA Fatigue.  Instead of relying on multiple layers you should implement a few advanced measures to ensure security without overwhelming the user.

Phishing-resistant MFA methods, such as FIDO2 tokens or biometrics, eliminate the need for approval prompts. These approaches are less susceptible to fatigue attacks, as they rely on physical interaction or distinct user traits.

Risk-based authentication adjusts security measures in real-time based on the assessed risk of a login attempt. In high-risk situations, additional verification steps are triggered, reducing the potential impact of compromised credentials.

Other methods such location-based and device-based MFA detection, automatically reports any anomalies to the user for additional verification.  Theses methods only allow access from trusted geographical areas and specific devices. Other automated solutions that allow you to limit the number of push notifications, implement time-out and locked account policies after failed MFA attempts.

All of these will help to reduce the chances of MFA Fatigue caused by repeated requests.

In Summary

Our advice is for all staff to be trained to recognise MFA fatigue attacks and to ensure that there are procedures in place for reporting unusual activities to your IT department or MSP.  Some advanced automated MFA solutions can also detect location, device to detect and automatically report any anomalies to the user for additional verification. Other automated solutions that allow you to limit the number of push notifications, implement time-out and locked account policies after failed MFA attempts.  All of these will help to reduce the chances of MFA Fatigue caused by repeated requests.

But knowledge is key, and human error remains one of the largest Cyber threats – train your staff regularly!

Sads Ltd have a team of qualified engineers to assess and advise on your current Cyber Security set up, we can also ensure that your staff have the correct knowledge to keep your business protected.   Get in touch today 0344 8111167  [email protected] Cyber Security.