A relatively new social engineering technique commonly known as “MFA Fatigue” has been successfully used to compromise employee accounts at large corporations like Uber, Microsoft, and Cisco.
The technique exploits Multi-Factor Authentication (MFA) solutions that send users sign-in approval notifications after account access attempts – as well as the fact humans tend to get frustrated by endless streams of messages.
This attack still requires stolen account credentials, so ensuring you have a strong password is paramount, and using a password manager to facilitate this is always advised.
MFA Fatigue: A Novel Hacking Tactic
Your business is vulnerable to MFA fatigue attacks if the multi-factor authentication method your employees use is configured to send “approve sign-in” notifications to their phones or other devices.
In an MFA Fatigue Attack, a hacker will make multiple attempts to log into a given user account configured with multi-factor authentication, using stolen credentials, sending an endless stream of sign-in approval requests to the user's device.
Alongside bombarding the target with notifications, hackers have reportedly sent emails in which they pretend to be IT support, in a further effort to convince the user that the messages are legitimate requests they need to deal with.
The intention is that the victim finally approves the request out of pure frustration, or is convinced they’ve been asked to do so by their tech team.
Other Authentication-Busting Techniques
We’d still advise activating two-factor authentication – and even better, multi-factor authentication – on any accounts you have.
An extra layer of security is always good – it’s better than not having it, after all – but it’s not the failsafe system it was once touted to be. However, there are more and less secure ways to configure it.
SIM-Swapping, for example, is a tactic hackers have previously used to gain unauthorized access to crypto wallets with two-factor authentication activated.
It involves phoning up a phone carrier and convincing them to swap a target’s phone number to a SIM controlled by the hacker, meaning two-factor authentication codes sent via text are redirected there instead.
This is why it’s generally advised to use an authenticator app like Google Authenticator to get your codes sent to your device rather than a phone number.
How Do I Beat MFA Fatigue Attacks?
If you’re being sent an endless stream of MFA notifications relating to your employee accounts with your company, contact your IT department.
Security experts also recommend disabling push notifications and simple “approve sign-in” requests, and instead opting for a more secure method of numerical codes sent to your phone or an authentication app.
On some systems, you can also limit the number of MFA requests that can be made, such that when a threshold is met, no more can be sent.
Of course, as this only works with stolen account credentials, the first line of defense is a strong, unique password – and there’s no better way to ensure you have one than a password manager. Using one, along with an authenticator app and a configured MFA request threshold (if possible), is the safest way forward.