How MFA Fatigue Attacks Work & 6 Ways to Defend Against Them

What Is an MFA Fatigue Attack? 

A multi-factor authentication (MFA) fatigue attack, also known as MFA bombing or MFA spamming, is a type of social engineering cyberattack where the attacker repeatedly sends MFA requests to the victim’s email, phone, or other registered devices. The goal of this attack is to coerce the victim into confirming their identity via notification, which would authenticate the attacker’s attempt to access the victim’s account or device.

This is part of a series of articles about insider threats.

---

How MFA Fatigue Works 

MFA fatigue attacks are a form of social engineering. To execute an MFA fatigue attack, the attacker must first gain access to the victim’s login credentials, typically through a phishing email, a credential stuffing attack, or by purchasing them on the dark web. Once the attacker has obtained the victim’s login credentials, they can attempt to log in to the victim’s account or device. If the account has MFA enabled, the attacker will be prompted to provide the second-factor authentication code.

To trigger the MFA push notifications, the attacker enters the victim’s email or phone number as the registered device for MFA. The attacker then repeatedly sends MFA requests to the victim’s registered devices, typically with a frequency that is designed to overwhelm the victim’s ability to properly verify the requests.

The victim may receive multiple MFA requests in quick succession, with the attacker using various social engineering tactics to make the victim feel under pressure to approve the requests quickly. For example, the attacker may claim that there is suspicious activity on the account or that failure to approve the requests will result in the account being locked.

If the victim falls for the attacker’s tactics and approves the MFA requests without properly verifying that they are legitimate, the attacker gains access to the victim’s account or device. This can allow the attacker to steal sensitive information, carry out fraudulent transactions, or install malware on the victim’s device.

---

6 Ways to Protect Against MFA Fatigue Attacks

1. Enable Additional Context

Enabling additional context is one way to protect against MFA fatigue attacks. Providing users with more information about the authentication request can help them to determine whether it is legitimate. Here are some ways to enable additional context for MFA:

• Geolocation: By using the user’s geolocation, it can help to verify the user’s location and make it more difficult for attackers to carry out MFA fatigue attacks from a different location. This can be particularly useful for mobile devices, where the user’s location can change frequently.
• Device fingerprinting: Device fingerprinting is a technique that can help to identify the user’s device based on its unique characteristics, such as the device’s browser configuration, screen resolution, and operating system. It can help prevent attackers from using different devices to carry out MFA fatigue attacks.
• Behavioral analytics: Analyzing the user’s behavior patterns, such as their typical login times, the type of device they use, and the locations they login from, can help to determine whether an authentication request is legitimate or not. This can be particularly useful for detecting MFA fatigue attacks, as attackers will typically deviate from the user’s normal behavior patterns.
• Session history: Session history refers to a record of the user’s previous login attempts and the devices used. By reviewing the user’s session history, it can help to identify patterns of suspicious behavior and prevent MFA fatigue attacks.

2. Adopt Risk-Based Authentication

Here are some ways to adopt risk-based authentication for MFA:

• Risk scoring: Involves assigning a risk score to each authentication request based on various factors, such as the user’s location, device, and behavior patterns. The higher the risk score, the more authentication factors should be required to verify the user’s identity. 
• Adaptive authentication: This method uses real-time risk analysis to determine the level of authentication required for each login attempt. This can involve analyzing the user’s behavior patterns, the device being used, and the location of the login attempt. 
• Dynamic policy management: Dynamic policy management involves adjusting the authentication policy based on the current risk level. For example, if the risk level is high, the authentication policy may require additional authentication factors or block the login attempt entirely. 

3. Implement the FIDO2 Authentication

FIDO2 is an open authentication standard that is designed to provide strong authentication without the need for passwords. FIDO2 authentication can be implemented using hardware security keys, such as USB or NFC keys. These keys store the user’s private key and use public-key cryptography to verify the user’s identity. 

This involves generating a public key and a private key for each user. The private key is stored on the user’s device or hardware security key, while the public key is stored on the authentication server. When the user logs in, the server sends a challenge to the user’s device, which is signed with the private key. The signed challenge is then sent back to the server, which verifies the signature using the public key.

4. Disable Push Notification as a Verification Method

MFA push notifications are designed to be easy to use, as users simply need to click “Yes” or “Allow” to approve login attempts. However, this simplicity also makes it easier for attackers to overwhelm users with fraudulent MFA requests.

To protect against MFA fatigue attacks, it is recommended to disable push notifications as a verification method in your authenticator app. Instead, use alternative verification methods such as:

• Number-matching: Involves matching a unique code or PIN provided by the authentication app with the code displayed on the screen during the login process. 
• Challenge and response: The app provides a random challenge or question that the user must answer to verify their identity. 
• Time-based one-time passwords: The app generates a unique code that changes every few seconds, which the user must enter to verify their identity.

The advantage of using these alternative verification methods is that they require users to actively participate in the authentication process and cannot be approved by accident. By disabling push notifications and using these alternative verification methods, it can help to prevent MFA fatigue attacks and improve the overall security of MFA.

5. Improve Security Awareness Around MFA

Educating users on the risks of MFA fatigue attacks and providing guidance on how to properly verify MFA requests can help reduce the likelihood of successful attacks. Here are some ways to improve security awareness around MFA:

• User education: Provide users with education and training on MFA, including the risks of MFA fatigue attacks and how to verify the authenticity of MFA requests. This can include simulated phishing exercises, which can help to raise awareness of the tactics used by attackers and teach users how to recognize and avoid them.
• Simple language: Use simple language to explain the risks and benefits of MFA, and provide clear instructions on how to set up and use MFA. Avoid using technical jargon or complex language, which can be confusing for users and reduce the effectiveness of security awareness programs.
• Good password hygiene: Encourage users to use strong, unique passwords and to avoid reusing passwords across multiple accounts. This can help to prevent attackers from using stolen passwords to carry out MFA fatigue attacks.
• Monitor activity: Regularly monitor user accounts for suspicious activity, such as multiple failed login attempts or unusual login locations. This can help to detect MFA fatigue attacks and other types of cyber attacks before they cause significant damage.
• Review and update: Regularly review and update MFA settings, such as registered devices and notification settings, to ensure they are optimized for security and usability. This can help to prevent MFA fatigue attacks and other types of cyber attacks.

6. Protecting Against MFA Fatigue Attacks with an Advanced  SIEM Platform

Protecting against MFA fatigue attacks requires a proactive approach, which can be achieved by combining advanced SIEM (Security Information and Event Management) solutions with user and entity behavior analytics (UEBA) and other security best practices. Advanced SIEM platforms provide real-time monitoring, threat detection, and incident response capabilities to help organizations detect and mitigate MFA fatigue attacks.

Here are some ways to protect against MFA fatigue attacks using SIEM:

• Real-time monitoring and alerting: SIEM systems monitor your environment for any signs of suspicious or abnormal behavior, such as repeated failed login attempts or unusual access patterns. By setting up real-time alerts, security teams can quickly investigate and mitigate potential MFA fatigue attacks.
• User and Entity Behavior Analytics (UEBA): SIEMs use UEBA to establish baseline patterns of credential and device behavior and identify any deviations from the norm. This helps detect any attempts to exploit MFA fatigue by identifying unusual login patterns or account usage.
• Machine learning threat detection: Many SIEMs utilize machine learning to identify complex attack patterns and detect threats that traditional, rule-based systems might miss. This capability can help security teams detect and prevent MFA fatigue attacks more effectively.
• Incident response and automation: Most advanced SIEM platforms often include orchestrated incident response and automation capabilities, allowing security teams to quickly respond to potential MFA fatigue attacks by isolating affected accounts, resetting credentials, or triggering other remediation actions.

By employing SIEM capabilities and implementing other security best practices, organizations can effectively protect against MFA fatigue attacks and maintain a secure and robust authentication environment.

---

Protecting Against Identity Attacks with Exabeam

Exabeam Security Analytics^TM runs on top of alegacy SIEM or data lake to upgrade an organization’s defenses to contend with credential-based attacks. Security Analytics sorts all behaviors into Smart Timelines^TM to convey the complete history of an incident, showing full event flows (both suspicious and normal) to identify activities and scores the risk associated with each event. Exabeam Security Analytics offers UEBA with threat detection and a Correlation Rules builder to tailor your detections and notifications to your organizational needs.
If you’re looking for security orchestration and automated response on top of UEBA, Exabeam Security Investigation^TM adds content, workflows, and automation to provide outcome-focused threat detection, investigation, and response (TDIR) capabilities. To help standardize around TDIR best practices, Security Investigation includes prescribed workflows for ransomware, phishing, malware, compromised insiders, and malicious insiders and pre-built content (e.g., MITRE ATT&CK framework) that focus on specific threat types and techniques to achieve more repeatable and successful TDIR.

Learn more: Exabeam UEBA