The Growing Problem with MFA Fatigue Attacks (And What You Can Do About It)
The internet is threatened more than ever by people who want nothing more than to damage organizations and their users. While more businesses have become more aware of the critical link between identity and security, many still need to improve their security posture around this area. They’re still at risk of a breach, especially with the rising threat of multi-factor authentication (MFA) fatigue attacks.
What is an MFA Fatigue Attack?
Compromised credentials are one of the leading causes of security breaches. It’s a major reason why many organizations have adopted MFA protocols to boost their security defenses. When implemented correctly, the practice goes a long way toward protecting a company’s systems. If a hacker manages to get hold of vital user info like a password, they still have at least one other barrier to get through to access protected data.
However, bad actors have started manipulating the model using a technique called MFA fatigue. An MFA fatigue attack involves flooding user authentication apps with push notifications. The goal is to frustrate or annoy users to the point where they accept one of them, which can be all the attacker needs to gain access to the victim’s device or account.
The practice is simple, effective, and becoming a major headache for organizations. According to a report from Expel, 80% of successful business account compromise (BAC) attacks occurred on those already set up with MFA. Clearly, a key vulnerability is hackers tricking end users into allowing them to bypass those protections.
How Do MFA Fatigue Attacks Exploit Users?
A lack of user training and awareness is a significant factor in the success of MFA attacks. Cyber attackers deliberately go after those they feel would be most vulnerable. If an organization makes their MFA policies too strict, that opens the door for employees to get used to getting frequent prompts that they click without much thought.
Hackers exploit this loophole by launching similar notifications that don’t register as unusual to an employee. They click it to move on and return to their work. Seeing a lot of push notifications at once might not stand out as unusual, as the user might assume it’s the system having issues.
A lack of awareness around MFA attacks makes it easier for cyber thieves to get away with launching fraudulent notifications. Below is an example of the flow of a general MFA attack.
- An attacker manages to steal a user’s credentials through phishing or other means.
- The attacker logs into an account protected by MFA multiple times.
- The valid user keeps getting push notifications. Some attackers even send emails pretending to be from the help desk, asking them to accept the notification.
- The user gets tired of getting the MFA notifications and accepts one of them, allowing the attacker full access to a device or account.
Seeing the events in sequence makes it easier to understand how users could get fooled into approving an MFA notification they did not generate. Educating your workforce on handling a sudden wave of MFA push notifications goes a long way toward dealing with the problem. Still, that puts too much of a burden on users. Organizations can still do more to boost security protections and keep these attacks from gaining traction.
How Can Organizations Mitigate MFA Fatigue Attacks?
Striking the right balance regarding MFA is vital in stopping security breach attempts. If policies are too relaxed, then you have trouble with the following:
- Sessions lasting too long
- IP changes not triggering the appropriate prompts
- Not receiving warnings about new devices enrolling in MFA
- Failure to get notified about stolen authentication tokens
Any investment in employee training should involve learning to spot MFA attacks. Companies should also place controls that lower the risk of MFA exploitation. Some methods that organizations should consider employing include the following:
- Setting limits around MFA request attempts
- Detecting when an authenticated user’s location changes
- Putting restrictions on available MFA methods
Businesses should also have MFA policies when there is a user profile change. There should also be thorough reviews of any suspicious actions to help reduce the potential of malicious activities causing a lot of damage.
How Can Companies Adopt MFA Best Practices?
Organizations need to evolve their MFA protocols as technology changes. Many companies previously adopted factors ripe for exploitation, like secret questions or one-time passwords sent through email or SMS. While that can offer some protection, businesses should take a more risk-based approach by improving the factors used for MFA.
Below are some ways organizations can improve MFA security and lower the chances of becoming vulnerable to MFA fatigue attacks.
1. Make Enrollment in Phishing-Resistant Authenticators a Requirement
Because social engineering attacks have become more sophisticated, it’s essential that companies ensure that employees receive protection from MFA fatigue attacks by using more phishing-resistant authenticators. Look for those capable of leveraging public key cryptography and move away from authenticators that rely on secrets or code sharing.
2. Eliminate Passwords
Avoid using passwords as an authentication factor. Instead, use passwordless solutions to help close the door on attackers attempting to exploit credentials to gain unauthorized access. Getting rid of passwords also helps reduce other attack methods like credential stuffing. You also reduce the time it takes to authenticate someone, improving the user experience.
3. Add Stronger Authentication Protections to Sensitive Applications
Instead of only relying on MFA for user login, make it a requirement when requesting access to an application that holds sensitive data. If someone still manages to get past initial MFA protections at login, you can prevent them from gaining immediate access to your most critical applications.
Make MFA Seamless With Axiad
Axiad provides organizations with guidance around finding the right security solutions for their business environment. Learn more about how we can help protect your company against bad actors by consulting with one of our experts.