Multifactor authentication, or MFA, is a mechanism used to secure user accounts. Unsurprisingly, however, malicious actors have found ways to bypass it, making the technology merely a small obstacle for many attackers.
Although many methods can bypass MFA, a technique called MFA fatigue or MFA abuse is a popular one due to its low complexity and high success rate. This article will discuss MFA fatigue, how to avoid falling victim to it, what to do in the event it’s happening on one of your accounts, and provide recent examples where it’s led to notable cyberattacks.
What Is MFA Fatigue?
What Is Multifactor Authentication (MFA)?
If you aren’t already familiar with it, MFA is the use of multiple authentication factors to access a particular user account. A password alone is no longer enough to protect your accounts, and MFA has become a standard practice across all industries and organizations, as it reduces the likelihood of account compromise.
In general, there are three factors in an MFA process:
3 MFA Components
- Something you know — Password, PIN, or passphrase
- Something you have — OTP (one-time password), verification code, or hard or soft security token
- Something you are — Biometrics (fingerprint, facial scan, or iris scan)
What Is MFA Fatigue?
Also known as MFA abuse attacks, MFA fatigue occurs when an attacker spams a target victim with MFA push notifications. These are the notifications we receive to our emails, phones, or authenticator apps to approve login attempts.
The goal is to spam victims to the point where they’re annoyed by the constant notifications and approve one so it will stop. Although it may seem harmless, by doing so, the attacker has effectively bypassed MFA by tricking you into approving the login attempt.
What Should I Do If MFA Abuse Happens to Me?
Continue ignoring fraudulent push notifications. Although it can be quite annoying, approving the login to stop the flood of notifications will do further harm, as the attacker will have obtained access to your account.
Second, the fact that the attacker can trigger MFA push notifications means they obtained your password, so it’s essential to reset your password as soon as possible. Once you do so, you should also review your logged-on sessions, which is an available feature, especially for social media and other applications that are primarily used on mobile devices. If you see any suspicious sessions, perhaps in a different geographical area, be sure to end them.
What if you’re receiving push notifications you didn’t trigger, but they’re not happening constantly? Should you be worried?
Yes. If you notice random, infrequent push notifications, err on the side of caution and change your password for the relevant application.
What Are Other Ways MFA Fatigue Attacks Happen?
Although the most common form of MFA fatigue is the one described above, with floods of push notifications, some attackers are more patient. These individuals may trigger push notifications throughout the day with the hopes that one of the attempts will coincide with your login activity, and you’ll approve it without suspicion.
The bottom line: Only approve push notifications that occur immediately after you’ve prompted one. It should take no more than five to 10 seconds for a push notification to occur after you’ve triggered a login, so any prompt for approval that comes past that point should raise a red flag.
MFA Fatigue in the Wild
One reason many individuals neglect to follow cybersecurity best practices and advice is that it’s difficult to quantify the ROI (return on investment), both in terms of personal security hygiene and on an enterprise level.
Because good security practices result in, hopefully, a lack of incidents, there typically isn’t a noticeable difference unless you’ve tracked the number of incidents related to account compromise prior to and after the implementation of security training. On a personal level, users may think, “That won’t happen to me,” or, “I’ll just ignore it, the hacker will go away eventually.”
This isn’t the case, though, as attackers will do what they can when faced with the opportunity to gain access to any account. MFA fatigue is such a technique employed when attempting to gain access to an account. If you fail to follow the security practices described above, your account will be further compromised and abused.
MFA fatigue in particular has gained more attention this year due to recent high-profile cyber incidents in which attackers used it. As mentioned previously, its high success rate has made it a more attractive method, especially against large, corporate networks. Although other, more technical methods can bypass MFA, MFA fatigue exploits the weakest link: the human factor.
This was the case in three large cyber events earlier this year:
3 Recent MFA Fatigue Attack Victims
Microsoft Source Code Breach
In March of 2022, Microsoft confirmed the threat group Lapsus$ gained access to their network and was able to steal proprietary source code. This data breach was the result of a compromised user account. Although Microsoft uses MFA to further protect its network, the user, whose credentials had been previously compromised, fell victim to MFA fatigue. Lapsus$ used a session replay attack to spam the user with MFA push notifications.
Attempted Data Extortion Against Cisco
In August of 2022, the Yanluowang threat group claimed to have gained access to Cisco’s network earlier in the year and threatened to leak stolen files if Cisco didn’t pay a ransom. After further investigating the incident, Cisco found that close to 3 GB of data had been stolen from an employee’s Box account, but it was not of sensitive nature.
As you may have guessed already, Cisco further confirmed that the Yanluowang group was able to bypass their MFA requirement via MFA fatigue, in addition to vishing, or voice phishing. The combination of these techniques was enough to trick the victim into approving one of the push notifications, enabling the threat group to access the VPN.
Internal Uber Systems Breached
Most recently, and most notably, Uber was breached on September 15th. Unlike the other events, this attack was performed by an 18-year-old hacker based in the UK. Just like the Microsoft and Cisco cyberattacks, the hacker employed MFA fatigue against a contracted employee and then reached out to him, claiming to be from IT support.
“(I was spamming employee with push auth for over a hour) i then contacted him on WhatsApp and claimed to be from Uber IT, told him if he wants it to stop he must accept it.” — Attacker
This successful MFA fatigue attack resulted in the attacker gaining access to the corporate VPN and, from there, performing additional activities to discover sensitive information. Ultimately, the individual found plaintext administrator credentials which were used to gain access to additional privileged account information and secrets for other enterprise services. Although the attacker wasn’t specific, we can guess these secrets were API keys or root credentials that enabled the individual to obtain high-privileges on one or more corporate applications.
The Rise in MFA Fatigue
The popularity of MFA fatigue has led to a drastic shift in enterprise MFA implementations. In recent years, many companies have adopted push notifications for MFA, but that approach is being flipped on its head as a result of the rise in cyberattacks where the compromise occurred due to an MFA fatigue attack.
Cybersecurity experts have begun boycotting push notifications for MFA, shifting their support back to the more traditional methods like OTP (one-time passwords), including authenticator-based verification codes, SMS-based codes, and hardware tokens. What does this mean for end-users? Unfortunately, the most convenient MFA method, the push notification, will likely become less common in the future as organizations shift back to OTP methods.
The bright side is, as technology continues to advance, passwordless authentication and biometric MFA are options that organizations are beginning to adopt. Passwordless authentication, as one would guess, ditches the password for methods like biometrics, mobile app authentication, or one-time authentication links. Although these may be more expensive in some cases and may come with other risks and concerns, many companies will decide to pursue these options due to the convenience they offer to end-users.
Although it’s important for security teams to have appropriate and effective safeguards in place, balancing security with usability continues to be a primary factor to ensure security controls aren’t hindering business operations or affecting employee satisfaction.