blog

MFA Fatigue Attacks: What are they and how can your business combat them?

Image ~ MFA Fatigue Attacks What are they and how can your business combat them

MFA Fatigue Attacks: What are they and how can your business combat them?

As modern technology advances, more bad-faith actors are finding new ways to attempt get around the latest security features.

One of the latest forms of attack is known as a multi-factor authentication (MFA) fatigue attack, a strategy used to gain access to an account through the new MFA technologies that are widely used.

However, if you know what to look for, you can easily protect yourself from attacks like these. In this article, we’re going to explain how an MFA fatigue attack is carried out, and how you can protect yourself today.

What is an MFA Fatigue Attack?

A multi-factor authentication (MFA) fatigue attack attempts to circumvent the MFA security features built into most modern applications.

Also known as MFA bombing, the attack is a social engineering attack where attackers constantly push MFA authentication requests to the victim. The aim of this is to force the victim to accept the notification — and therefore gain access to the platform.

This attack is used after having acquired the password for the target account, which can be done using other social engineering attacks. Usually, the attack will lead to data exfiltration or a malware attack, such as ransomware, which will take your organisation’s data hostage until a ransom is paid.

How Does an MFA Fatigue Attack Start?

Compromise Credentials (previous hacks/reuse of password)

For an MFA fatigue attack to work, the credentials of an account have to be initially compromised. This is usually done through social engineering attacks or through a previous breach of a third party.

At this point, it’s assumed that the attacker already has the credentials. After all, you can’t start an MFA fatigue attack without already having password access to the account.

Use Stolen Credentials to Send MFA Push Notifications

The attacker will send MFA push notifications constantly to the victim’s devices. These prompts will essentially ping on said devices, which will be a hassle for the victim anyway.

A lot of these push notifications will have a simple ‘Yes’ button to click, while some platforms have more complex authentication options.

Victim Clicks Yes Eventually

Eventually, the goal is to have the victim click ‘Yes’ to give access to the account — after getting frustrated with the number of MFA notifications they’re receiving.

This is why MFA fatigue attacks are known as social engineering attacks. They’re not hacks or anything super technical and instead, rely on human nature and the victim making an error, which is now the greatest cause of security breaches.

Once the victim clicks yes on their device, the attacker will have complete access to the account they are trying to access — making the attack a complete success.

How to Combat MFA Fatigue Attacks

Use OTP-Based MFA

Rather than utilising MFA that uses the ‘Is this you?’ and ‘Yes/No’ systems, utilising one-time password (OTP) based MFA where possible, adds an extra barrier between allowing attackers in.

An OTP will be sent to your device to be entered within the login portal that you’re using. This will mean that the attacker would need to gain the OTP from you to be success in their hack attempt, making this attack far less effective.

Single-handedly, this is the best way to stop MFA fatigue attacks — the OTP-based MFA methods all make MFA fatigue attack useless.

Use Conditional Access

Utilising a tool such as Azure Active Directory, you can also utilise conditional access to ensure your organisation’s systems can only be accessed on certain approved devices, approved locations or with certain login methods.

This means that you can easily control which devices are able to have access to your accounts. This is great as it ensures that anyone trying to access your organisation from an external device or unapproved location will just get blocked from being able to do so regardless of what credentials they may have obtained.

Improve User Education

As with any social engineering attack, increasing awareness and educating users is essential part of preventing these sorts of breaches. By ensuring that everyone in your organisation knows what an MFA fatigue attack is, there’s a far lower chance that it will happen to anyone within your company.

This should be a basic part of any cybersecurity or security training, as it’s essential for everyone within your organisation. Therefore, make sure people know of the risks that they’re facing and the potential attacks that they can face.

Improve Password Hygiene

The catalyst for an MFA fatigue attack is having access to the first factor of authentication, which is usually the password for the account. By ensuring that attackers can’t access those details, you cut off the risk at its root.

Educating users and enforcing good password hygiene is important for this. This includes complexity, repeating passwords, and ensuring that the passwords used aren’t reused passwords from other platforms that could have become breached.

Enforce Least Privilege Access

The principle of least privilege is a concept that maintains that a user should only have access to the specific data and resources needed to undertake a task. This means only giving access based on the specific task at hand, which reduces the amount of risk to your organisation.

By implementing this concept within your organisation, you ensure that sensitive data within your organisation are only accessible to those who need it.

How We Can Help

MFA fatigue attacks can be worrying for any organisation. With the sheer number of cyber threats to keep track of, such an easy form of social engineering is easy to overlook. However, by implementing these changes and educating your organisation, you ensure that everyone throughout your institution is protected.

If you’re looking to take further steps to protect your organisation from the wide range of attacks that you could be facing, get in touch with us today! We’re here to help, and to ensure that your organisation is safe from any malicious attempts and bad-faith actors looking to damage it.

Contact us now and see how we can help!