Nobody likes to be interrupted, or asked the same question over and over again. It can be frustrating, especially when you are trying to focus on something time critical.
Though, what if, during the rush to complete that work before your time-sensitive deadline, a barrage of multi-factor authentication (MFA) prompts begin lighting up your phone? And what if that that simple tap of the ‘Approve’ button in your authenticator app allows a criminal to take over your work account, enabling them to steal data from, or conduct other nefarious acts, against your organisation?
Recently, this form of social engineering is being seen more and more by organisations who have chosen to implement multi-factor authentication to provide an additional layer of security beyond basic usernames and passwords. This type of attack method has been coined multi-factor authentication fatigue – also known as MFA fatigue.
What is Multi-Factor Authentication Fatigue?
Multi-factor authentication fatigue is a form of social engineering whereby an adversary, through automated or manual means, overwhelms a user with multi-factor authentication prompts until they approve the sign-in request. When faced with hundreds of notifications to approve logins, users approve the request assuming it’s a re-authentication request for their current session or by accident, or to simply stop further notifications, allowing the adversary to gain their account. Attempts have also been observed where adversaries have posed as a member of the organisation’s tech support, contacting the user directly to encourage them to approve the prompt.
Why Should I Be Concerned About Multi-Factor Authentication Fatigue?
MFA fatigue is not the only way an attacker can overcome multi-factor authentication. Other attacks, such as SIM-swapping and man-in-the-middle proxying, could allow an attacker to access the account. However, these take considerable time and effort to execute.
Given that this is a relatively new tactic that has emerged with the growing adoption of MFA, it is not as well-known as other forms of social engineering attacks within the user community, thereby increasing the likelihood of a user approving the sign-in, unaware of the consequences that could bring.
It’s also a relatively easy attack to execute as it does not require sophisticated tooling or exploits. The only pre-requisites required to initiate the attack is obtaining a user’s credentials and a simple script to repeatedly trigger MFA prompts. Gaining legitimate authentication credentials can be a straight-forward task, with many organisation’s users falling victim to public data breaches, where work credentials have been publicised or where users have re-used breached personal passwords for work accounts.
There have been a number of high-profile attacks against organisations, such as those against Cisco and Uber, where MFA fatigue has been the first step in establishing a foothold within the organisation’s IT environment.
From this initial access, an adversary can then go on to compromise further accounts, obtain and exfiltrate sensitive organisational data, and potentially deploy ransomware to interrupt the operations of the organisation.
How to Reduce the Likelihood of a Successful Multi-Factor Authentication Fatigue Attack?
Firstly, do not rush to disable multi-factor authentication entirely believing that it is no longer providing the defence you once thought it was. This will, of course, make the situation far worse and remove a critical security control keeping your accounts secure.
Instead, the following are effective ways to minimise the chance of a successful MFA Fatigue attack:
Implement Phishing-Resistant MFA Requests – Phishing resistant MFA should be implemented to prevent users falling victim to MFA fatigue. One such method is ‘Number Matching’ which introduces an additional step within the MFA push notification workflow. A number is presented on the login screen, and this number must be entered by the user when approving the MFA prompt within their application. Several vendors now include this functionality within their offering, and some have even enabled it by default for new customers.
This can be further strengthened by adding additional context to the MFA request, such as geographical location and application details which several vendors are now supporting. An example is provided below from Microsoft Authenticator:
Use Strong Passwords – As noted above, the key pre-requisite for any MFA fatigue attack is for an attacker to have obtained valid user credentials. To prevent this, educate users on what a strong password looks like and ensure they are aware of the dangers of password re-use. Enforce a strong password policy throughout technical controls that minimises the chance of a user having a weak password.
Educate and Encourage Users to Report Unexpected MFA Prompts – By educating users on MFA Fatigue and encouraging them to inform the relevant contact if they are a victim of the attack, you can then investigate the cause of the prompts and take action to prevent accounts being compromised.
Automated methods to achieve this can be enabled on platforms, such as Azure Fraud Alerts. This functionality allows users to report fraudulent attempts to access their account to administrators.
Monitor for and Block Excessive MFA Requests and Risky Sign-Ins – Define thresholds within your monitoring tools or on the authentication platform itself to alert upon and block further excessive MFA prompts within a short timescale.
Furthermore, ensure you are monitoring for common risks and exposures against your organisation’s accounts, such as:
- User credential leaks
Sign-ins from unfamiliar locations
Sign-ins from suspicious IPs
Sign-ins from unapproved devices
Many vendors of authentication platforms offer built-in risk-based authentication services that help identify, classify and block malicious sign-ins. Successful high-risk sign-ins should be reviewed to ensure that a MFA fatigue attack hasn’t resulted in a compromised account.
Utilise Other Methods of MFA – Instead of push notifications, an organisation could use hardware security keys or other alternative secure MFA methods that are resistant to this form of attack. There are trade-offs to consider with these methods though, such as increased inconvenience to the user and cost to the organisation of procuring hardware security keys.