MFA (Multi-Factor Authentication) Fatigue Attacks – 2024
A Cyberattack to Counter Multi-Factor Authentication
Catalog of Scams – A SCARS Institute Insight
Author:
• SCARS Institute Encyclopedia of Scams Editorial Team – Society of Citizens Against Relationship Scams Inc.
Article Abstract
An MFA fatigue attack is a cyber tactic where attackers bombard a victim’s device or account with repeated multi-factor authentication (MFA) push notifications until the victim becomes overwhelmed or annoyed.
The goal is to exhaust the target, eventually leading them to accidentally approve one of the authentication requests, thereby giving the attacker access to their account.
MFA (Multi-Factor Authentication) Fatigue Attacks are Increasing and People are Becoming Victims
Introduction
Multi-factor authentication (MFA) is a security method that requires users to provide more than one form of verification to access an account or application. MFA is an important way to protect online accounts and the data they contain, and it’s becoming more common as cyber threats increase.
An MFA fatigue attack is a method used by cybercriminals to exploit the human element of multi-factor authentication (MFA) systems. In these attacks, an attacker who has already obtained a user’s login credentials bombards the user’s device with continuous MFA push notifications, attempting to wear them down to the point where the user mistakenly or out of frustration approves the authentication request, thereby granting the attacker access to their account.
These attacks exploit the human element of MFA security. Instead of bypassing MFA through technical means, the attacker uses persistence, hoping the user will inadvertently approve the request, thinking it’s legitimate or simply to stop the flood of notifications. This type of attack often accompanies other social engineering methods, such as impersonating IT support to convince the victim that the notifications are legitimate.
This attack method has been used by groups like Scattered Spider and has proven effective against high-profile targets when traditional security defenses are in place
How MFA Fatigue Attacks Work
Here are the MFA Fatigue Attack steps:
- Credential Compromise: The attacker initially gains access to the victim’s username and password, usually through phishing or other social engineering tactics.
- MFA Bombardment: With credentials in hand, the attacker tries to log into the victim’s account. This triggers the MFA system to send repeated push notifications or prompts to the user’s mobile device or email.
- Exhausting the User: The attacker continues to send these authentication requests at frequent intervals. Over time, the victim may become overwhelmed, annoyed, or confused by the barrage of prompts.
- Unintentional Approval: The aim is for the user to accidentally approve one of the prompts, either out of confusion, frustration, or a mistaken belief that it’s legitimate. Once approved, the attacker gains full access to the account.
Examples of MFA Fatigue Attacks
- Uber Hack (2022): A high-profile MFA fatigue attack occurred during the Uber hack in 2022. The attacker obtained an employee’s login credentials and initiated an MFA fatigue attack by repeatedly sending push notifications to the employee’s phone. Eventually, the employee approved one of the authentication requests, allowing the attacker to breach Uber’s internal systems. The hacker then gained access to sensitive company information and openly taunted Uber’s security team.
- Okta Hack (2022): Another example involved Scattered Spider (LUCR-3), which targeted the identity provider Okta. Attackers used MFA fatigue to target an employee of a subcontractor to Okta. After a series of push notifications, the employee inadvertently granted access, allowing attackers to infiltrate Okta’s systems and later other client companies through the breached identity platform.
How to Prevent MFA Fatigue Attacks
- Educating Users: One of the most effective ways to prevent MFA fatigue attacks is through user awareness. Employees and individuals need to be educated about the dangers of approving unexpected MFA requests. If they receive repeated MFA prompts they did not initiate, they should report the incident to their IT or security team immediately.
- Time-based Lockouts: Organizations can configure MFA systems to temporarily lock accounts after a certain number of failed or rejected MFA attempts. This reduces the likelihood of an attacker successfully exploiting MFA fatigue.
- Phishing-resistant MFA: Using stronger forms of authentication, such as hardware-based security keys (like FIDO2 or YubiKey), can make it harder for attackers to bypass MFA by reducing reliance on push notifications or SMS codes.
- Additional Authentication Layers: Adding extra layers of security, such as biometric authentication or requiring contextual information (like location or device) to approve logins, can make it harder for attackers to succeed.
MFA fatigue attacks demonstrate how social engineering can bypass even robust security measures by exploiting human error and frustration. As attackers continue to evolve their techniques, organizations must combine technical controls with user training to mitigate the risks.
Please Leave Us Your Comment
Also, tell us of any topics we might have missed.
Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.
Recent Reader Comments
- on Scam Victim’s Learning Process [INFOGRAPHIC]: “The road to recovery is overwhelming and challenging at times. For sure uncomfortable. But oh so worth it! It’s an…” Oct 2, 14:43
- on Hating Criminals Feels So Good But Is So Bad: “That is ok, forgiveness is very hard. It will come later, don’t try to force yourself.” Oct 2, 14:19
- on Victim Expectations And Recovery Failure: “It is not my fault. I am not alone. I am a survivor. AXIOS! I am a step closer to…” Oct 2, 14:12
- on Scam Victim Debt Part 1 – Recognize It, Confront It, Control It, Survive It!: “Second time reading this article. Very well explained how to manage finances and debt 101.” Oct 2, 13:55
- on Suing Your Money Mule or Scammer: “This is an eye opening article. I didn’t know a money mule could be sued. I need to know if…” Oct 2, 10:50
- on Three Main Causes Of Anger In Scam Victims: “I still am finding I hard to show forgiveness towards my scammer. They should be imprisoned for what they are…” Oct 2, 08:34
- on Scam Victim Self-Hatred And Self-Loathing: “I feel sorrow for those who hate themselves. The one person they are stuck with for the rest of their…” Oct 2, 08:23
- on Chasing The Money After A Scam: “A perda financeira e a busca incessante do perdido, além de prejudicar grandemente a cura, porque isola ainda mais as…” Oct 2, 01:05
- on Writing An Apology Letter – The Importance Of Apologizing To Your Family – For Scam Victims – 2024: “This article lists many powerful reasons why writing an apology letter is important for family members. The paragraph, prevent future…” Oct 1, 17:02
- on Hating Criminals Feels So Good But Is So Bad: “I still find it hard to want to forgive my scammer, but also don’t let hate for them fester in…” Oct 1, 10:09
Important Information for New Scam Victims
- Please visit www.ScamVictimsSupport.org – a SCARS Website for New Scam Victims & Sextortion Victims
- Enroll in FREE SCARS Scam Survivor’s School now at www.SCARSeducation.org
- Please visit www.ScamPsychology.org – to more fully understand the psychological concepts involved in scams and scam victim recovery
If you are looking for local trauma counselors please visit counseling.AgainstScams.org or join SCARS for our counseling/therapy benefit: membership.AgainstScams.org
If you need to speak with someone now, you can dial 988 or find phone numbers for crisis hotlines all around the world here: www.opencounseling.com/suicide-hotlines
SCARS Resources:
- Getting Started Right: ScamVictimsSupport.org
- Sextortion Scam Victims: Sextortion Victims Support – The Essentials (scamvictimssupport.org)
- For New Victims of Relationship Scams newvictim.AgainstScams.org
- Subscribe to SCARS Newsletter newsletter.againstscams.org
- Sign up for SCARS professional support & recovery groups, visit support.AgainstScams.org
- Join our Scam Survivors United Chat & Discussion Group facebook.com/groups/scam.survivors.united
- Find competent trauma counselors or therapists, visit counseling.AgainstScams.org
- Become a SCARS Member and get free counseling benefits, visit membership.AgainstScams.org
- Report each and every crime, learn how to at reporting.AgainstScams.org
- Learn more about Scams & Scammers at RomanceScamsNOW.com and ScamsNOW.com
- Scammer photos ScammerPhotos.com
- SCARS Videos youtube.AgainstScams.org
- Self-Help Books for Scam Victims are at shop.AgainstScams.org
- Donate to SCARS and help us help others at donate.AgainstScams.org
- Worldwide Crisis Hotlines: https://blog.opencounseling.com/suicide-hotlines/
Other Cyber Resources
- Block Scam Domains: Quad9.net
- Global Cyber Alliance ACT Cybersecurity Tool Website: Actionable Cybersecurity Tools (ACT) (globalcyberalliance.org) https://act.globalcyberalliance.org/index.php/Actionable_Cybersecurity_Tools_(ACT)_-_Simplified_Cybersecurity_Protection
- Wizer Cybersecurity Training – Free Security Awareness Training, Phishing Simulation and Gamification (wizer-training.com)
-/ 30 /-
What do you think about this?
Please share your thoughts in a comment below!
To Learn More Also Look At Our Article Catalogs
Scam & Crime Types
More SCARS
- ScamsNOW Magazine – ScamsNOW.com
- ContraEstafas.org
- ScammerPhotos.com
- AnyScam.com – reporting
- AgainstScams.org – SCARS Corporate Website
- SCARS YouTube Video Channel
Leave a Reply