What is MFA Fatigue Attack (MFA Bombing): Best Practices

Over the course of several hours, an attacker persistently sent an Uber contractor push notifications, knowing that repeated prompts might eventually lead to approval. The attacker had initially obtained the contractor's login credentials, likely through phishing or a previous data breach, but was blocked by the Multi-Factor Authentication (MFA) requirement. 

To bypass this, the attacker repeatedly triggered MFA push notifications aimed at gaining access to Uber's VPN, which serves as a gateway to the company’s internal network. The contractor, feeling overwhelmed, ultimately accepted one of the prompts, which allowed the attacker to bypass Uber's security and gain access to critical internal systems. 

This breach resulted in the exposure of sensitive data and internal tools, causing significant disruption and highlighting the importance of understanding and defending against this growing threat known as MFA fatigue attack.

As organizations continue to bolster their cybersecurity defenses, MFA has become a cornerstone in the battle against unauthorized access. By requiring multiple forms of verification, MFA significantly raises the bar for attackers. 

However, as with any security measure, MFA is not impervious to exploitation, and MFA fatigue attacks do exactly that as a psychological and technical strategy that capitalizes on human error and persistence. 

This blog delves into the mechanics of MFA fatigue attacks, their impact, and how organizations can detect and mitigate them using best practices to ensure that security operations remain resilient in the face of evolving threats.

What is an MFA fatigue attack?

MFA fatigue attack, also known as MFA bombing or push fatigue, is a social engineering attack where an adversary repeatedly triggers authentication requests to the targeted user in a short period. The constant barrage of notifications or prompts can overwhelm the user, leading them to inadvertently approve the request out of frustration, fatigue, or the assumption that it is a legitimate attempt.

How do MFA fatigue attacks work?

Initial Compromise: The attacker typically starts with a compromised set of credentials—whether through phishing, credential stuffing, or a previous data breach. These credentials may include a valid username and password but lack the second factor required for full access.

‍Persistent prompts: Using the stolen credentials, the attacker attempts to log in to the victim's account. This triggers an MFA challenge, such as a push notification, SMS code, or phone call. The attacker repeatedly attempts the login, generating multiple MFA prompts in quick succession.

‍User frustration: As the victim receives numerous prompts, they may become confused, frustrated, or fatigued. In some cases, the victim may incorrectly assume the prompts are legitimate requests made by themselves or their organization’s IT department.

‍Accidental approval: Eventually, the victim may accept one of the prompts, either to stop the notifications or under the mistaken belief that it is necessary. This grants the attacker full access to the account, bypassing the security MFA was intended to provide.

Why MFA fatigue attacks are effective

Human behavior: The crux of MFA fatigue attacks lies in exploiting predictable human behaviors. People are prone to making errors, especially when under stress or when facing repetitive tasks. Attackers leverage this vulnerability, betting that persistence will eventually lead to a lapse in judgment.

‍Poor user training: Many users are not adequately trained to recognize the signs of an MFA fatigue attack. Without proper education, they may not understand the importance of verifying each MFA prompt before approval.

How to detect MFA fatigue attacks: Best practices

Detecting MFA fatigue attacks requires a combination of user engagement, proactive monitoring, and intelligent analysis. From building the right detection rules to setting up real-time alerts when unusual MFA activity is detected, it’s important to ensure that your security systems are finely tuned to recognize both subtle and overt signs of attack.

Here are some best practices that companies can implement to effectively identify these attacks:

‍Monitor MFA prompt frequency: This is an obvious one to start with. MFA fatigue attacks rely on a high frequency of prompts to succeed. Track the number of MFA prompts sent to each user within a specific time frame and set thresholds for acceptable prompt frequencies. Generally speaking, more than 2 failed MFA attempts followed by a successful authentication in a 4 hour period should warrant a further look.

‍Analyze authentication patterns: Looking for users successfully logging in from new IP addresses, previously unseen devices, or via geo-impossible travel can be interesting (albeit noisy) initial signals for account takeover. These are default with Okta behavioral detections or most enterprise SIEM solutions. Reduce the noise by:

• Paying special attention to situations where the user is logging from anonymous proxies or VPN providers, a common favorite for threat actors.
• Identifying related sessions where some form of persistence is established (user password change of an unrelated account, new MFA added, etc.). MFA fatigue is a temporary foothold that encourages threat actors to quickly maintain presence. 

‍Leverage AI and behavioral analytics: Use tools that establish baseline user behavior and detect deviations. 

‍User feedback mechanism: Encourage users to report unusual MFA activity promptly. Have an email distribution, Slack channel, or highly publicized web-form that normalizes and encourages escalating security events.

How to mitigate MFA fatigue attacks: Best practices

To defend against MFA fatigue attacks, organizations need a multi-faceted approach that addresses both the technical and human elements of the threat. Here are some best practices:

‍Implement robust user training: Regularly train employees on the dangers of MFA fatigue attacks. Emphasize the importance of never approving an MFA request they did not initiate and encourage them to report any unusual activity immediately.

‍Use FIDO keys for sensitive users or assets: You can largely eliminate the threat from MFA fatigue attack by requiring a physical device (rather than push notification or SMS) as the second authentication factor. This approach ensures that sensitive users or assets are better protected against unauthorized access attempts.

Use password-less biometric MFA, like Okta FastPass when possible: By leveraging biometric factors (such as fingerprints or facial recognition) for authentication, you can enhance security and user convenience simultaneously.

‍Limit MFA prompt frequency: Organizations can configure their MFA systems to limit the number of prompts a user can receive within a specific time frame. By reducing prompt frequency, the chances of an attacker successfully conducting an MFA fatigue attack are minimized.

‍Use Number Challenge or similar features from your SSO solution: Instead of simply approving a push notification, users can be required to match a number displayed on their authentication app with one shown during the login attempt. This method ensures that the user is actively involved in the authentication process, making it harder for attackers to succeed.

‍Enable time-based lockouts: Consider configuring MFA systems to lock an account or temporarily suspend MFA prompts after a certain number of failed attempts within a set time period. This can instantly halt a MFA fatigue attack.

‍Educate on reporting protocols: Encourage users to report any suspicious or excessive MFA prompts. A clear and straightforward reporting process can help security teams detect and respond to MFA fatigue attacks before they lead to a full breach.

MFA fatigue attacks represent a sophisticated blend of social engineering and technical persistence. As attackers continue to evolve their methods, organizations must remain vigilant and proactive in their defense strategies. By understanding the mechanics of MFA fatigue and implementing a few best practices, organizations can significantly reduce their risk of falling victim to this emerging threat. In the end, the battle against MFA fatigue attacks is not just about technology—it's about fostering a culture of security awareness and resilience.

‍