Signs of MFA fatigue attacks and how to avoid them

With the advent of advanced authentication methods, many organizations have incorporated multi-factor authentication (MFA) in their IAM strategy. MFA has provided a welcome change, eliminating the sole dependence on usernames and passwords for identity security. The technique has now evolved to secure everything from major events like application logins to peripheral actions like Run as Administrator prompts. The latest authentication methods, like biometrics and FIDO2 passkeys, also help improve security without compromising on the user experience.

Initially, MFA rose as a formidable opponent to cyberattacks and malware, primarily password-based attacks, key logging, and phishing. While the introduction of MFA briefly stopped these attacks in their tracks, hackers now have a number of tricks up their sleeve to bypass MFA. A popular method they use is the MFA fatigue attack. Also known as MFA bombing or spamming, this social engineering attack causes MFA fatigue in users by constantly bombarding them with MFA notifications until they are manipulated into verifying their identity via those triggered MFA notifications. By doing so, they unknowingly provide an attacker with access to their account.

How is MFA fatigue induced in users?

Enterprises today have incorporated MFA to secure most of their network endpoints. While many companies strive to develop authentication policies that minimally impact the user experience by incorporating seamless features like push notifications, users may become complacent about such low-effort authentication processes.

Hackers try to exploit this tendency and raise an access request to the enterprise resource. The user will receive an MFA prompt requesting access permission. If the user identifies the request as rogue and rejects it, their device then becomes overloaded with further prompts. This can cause overwhelm and confusion, and users often accept the request in a bid to stop further prompts. The hacker then successfully weaves their way into the enterprise network, creating a data security crisis.

The MFA fatigue attack process

Here's a rundown of a typical MFA fatigue attack:

• The precursor to an MFA fatigue attack is exposed credentials. Unless it is a passwordless authentication flow, hackers first lay their hands on a user's credentials using methods like brute-force or phishing, or by obtaining them from illicit sources of exposed passwords.
• Next, the stolen credentials are used to raise access requests to the user's application or resource. Hackers target systems that use push notifications for the second stage of authentication since it merely involves accepting the notification. The hacker persistently sends the access requests in quick succession to fatigue the user. Sometimes, they may even contact the user posing as a support technician or IT admin and convince them to accept the notification, citing the requests as a malfunction or a test run.
• The user, fatigued by the influx of push notifications, accepts a request and falls prey to the attack. The hacker now has access to the application or resource. Based on the permissions and privileges held by the user account, they may be able to move across the network and access sensitive resources. This can result in a sensitive data breach, intellectual property theft, and in worse cases, even a ransomware attack.

How to prevent MFA fatigue attacks

While no authentication method is completely fool-proof, there are factors that can aid in drafting an authentication policy that is resistant to MFA fatigue attacks. These include:

1. User education: Users must learn the importance of creating and maintaining strong passwords that are resilient to exposure. They must also be taught to be wary of phishing and other social engineering methods employed to steal passwords. Finally, they must be aware of the tell-tale signs of MFA fatigue attacks, such as irregular access patterns or an unusually high number of MFA requests.
2. Secure MFA methods: While push notifications are a user-friendly method of authentication, they can be easily weaponized. Methods like TOTPs, biometrics, and hardware tokens are more secure and do not overload users with notifications.
3. Adaptive authentication: Adaptive or risk-based authentication automatically adjusts the stringency of the identity verification process based on the risk level of the access attempt. For example, MFA can be required only for sensitive resources or when out-of-the-ordinary access attempts are made. Details like geolocation and time of access can be used to determine whether an access attempt is risky or not. Additionally, access to the resource can be blocked after continuous failed access attempts.
4. Detailed auditing: Users' access and authentication attempts can be continuously audited and monitored to look out for peculiar actions or events. Audit logs can also be analyzed by SIEM solutions to detect and generate threat signals before they affect operations.
5. Single sign-on (SSO): Implement SSO to reduce the use of MFA. Once users authenticate for the first time with an identity provider using a secure MFA flow, they can be allowed to access their resources and applications without additional authentication.

ADSelfService Plus is an identity security solution with MFA, SSO, and self-service password management capabilities. Its MFA feature provides holistic identity security, fortifying access to endpoints such as machines, applications, VPNs, and OWA. It's armed with 20 authentication methods, including biometrics, FIDO passkeys, and TOTP authentication. The solution's conditional access feature automatically modifies access controls based on geolocation, time of access, device type, and IP address to improve security posture without affecting the user experience. It offers built-in reports that provide comprehensive audits of users' authentication attempts and failures, registered authentication devices, and more. The solution also provides SSO to SAML-, OAuth-, and OIDC-based applications.

For a further look into ADSelfService Plus' identity security capabilities, get your free, 30-day trial of the product here.