Author: Chase Snyder, Sr. PMM, Xage Security
The multifactor authentication fatigue attack is a tactic in which the attacker attempts to gain access to an account by repeatedly attempting to log in using a victim’s login credentials. This causes the system to send MFA prompts in hopes that the victim will accept one just to stop the barrage, granting the attacker access without realizing they are doing so. MFA fatigue attacks are also known as mfa bombing or push bombing attacks. Push bombing refers to the fact that MFA prompts are likely to come as a push notification, email, or even a phone call actively pushed to the user. Other MFA factors such as authenticator apps and hardware keys are less susceptible to MFA fatigue. The MITRE ATT&CK Framework calls this tactic “Multi-Factor Authentication Request Generation” (T1621). All of these names refer to the same cluster of attack tactics used by various adversary groups to get through their target’s MFA defenses.
Jump to a Topic
- How To Prevent MFA Fatigue Attacks
- Educate Users on How MFA Fatigue Attacks Work
- Automatically Rotate Login Credentials to Keep Them Off The Dark Web
- Use Hardware Security Keys
- Use Multiple Layers of MFA with Different Authentication Factors
- Don’t use SMS-based MFA
- Use Adaptive Access Rules or Context-Driven MFA Requirements
- What To Do If You Have Fallen Victim to an MFA Fatigue Attack
- The State of MFA Today
Even in the face of these attack tactics, multi factor authentication (MFA) is widely recognized as extremely effective at preventing cyberattacks. But it only works if you deploy it. In February 2024, Microsoft tweeted that only 38% of Entra ID (the renamed Azure Active Directory) accounts that use the service monthly had MFA enabled. The company said they had a plan to get that number to 80%.
These numbers aren’t generalizable across the industry, but it is fairly safe to assume that most organizations don’t have MFA enabled on all, or even most, of the accounts in their environment. Microsoft themselves confirmed that in early 2024 a Russian adversary group had broken into Microsoft employee accounts that did not have MFA enabled.
How To Prevent MFA Fatigue Attacks
If you have MFA enabled at all, you’re already ahead of the curve. But attackers adapt, and as major companies have been breached via MFA fatigue, it is worth taking extra steps to protect yourself. As with most cyber risks, there’s no one-and-done way to prevent MFA fatigue attacks. A defense-in-depth approach, combined with the always critical user education, can greatly reduce your risk though.
Educate Users on How MFA Fatigue Attacks Work
User education techniques are critical for many cybersecurity initiatives. Users that are aware of the MFA bombing technique are better equipped to recognize when they’re being targeted, and to avoid granting an attacker access. User training, regular reminders, and even ongoing testing of an organization’s ability to resist such attacks are all possibilities for assuring that users themselves are equipped to avoid compromise via MFA fatigue.
MITRE recommends training users to only accept MFA/2FA prompts from login attempts they initiated, as well as to review the source locations of login attempts prompting MFA/2FA requests, and to report suspicious prompts.
Automatically Rotate Login Credentials to Keep Them Off The Dark Web
Cyberattackers often do a login attempt with valid credentials, purchased from the dark web, to initiate MFA attacks. They need a valid username and password in order to trigger the MFA request via push notification in the first place. The Verizon DBIR Report from 2024 found through cursory research that over 1000 credentials go up for sale on the dark web every day for an average price of $10. If these credentials are still valid and current, they are likely to be used by attackers to break into target systems. Automatically rotating credentials reduces the likelihood that current, valid credentials for your organization are available for sale on the dark web.
Use Hardware Security Keys
Hardware security keys using the FIDO system, such as Yubikey, are a powerful tool to prevent mfa attacks, but they are not a perfect fit for every organization. They can be costly and challenging to roll out, to train users on, and to physically distribute the hardware. But they’re a great option as part of a layered and multi-faceted approach to getting the right level of MFA on critical systems, and for highly privileged users in your environment.
Use Multiple Layers of MFA with Different Authentication Factors
MFA fatigue attacks only work against certain types of authentication factors. MFA push notifications are the primary example, though email could potentially be a vector for this type of attack. Choosing different authentication factors such as MFA apps and hardware keys, and requiring multiple MFA challenges that do not rely on the same factors, is a good way to reduce risk of successful MFA bombing attacks against your organization.
Don’t use SMS-based MFA
SMS-based MFA is vulnerable to a different type of MFA attack called SIM-swap. This technique is assumed to have been used successfully in the attack on MGM hotels and casinos that resulted in over $100 million in damages. The technique involves gaining knowledge of the username, password, and phone number of a target whose MFA factor relies on their phone number. The attacker then uses social engineering techniques to gain access to the phone number by getting it switched to a new device or SIM card, so that when they attempt a login with the credentials, the attacker themselves receives the MFA prompt, and can accept it. This is not an MFA fatigue technique, but is another mechanism for MFA bypass that must be accounted for by defenders.
Use Adaptive Access Rules or Context-Driven MFA Requirements
The ability to adjust MFA requirements and other access controls depending on context provides a great deal of additional security. For example, always requiring MFA for remote access is a good way of improving your security posture, since remote access tools are such a commonly weaponized system for cyberattackers. Adjusting the number of MFA challenges a user must face as they attempt to access more privileged access is another good practice. As is requiring different authentication factors at each layer of the network, or per device.
What To Do If You Have Fallen Victim to an MFA Fatigue Attack
If you are a cybersecurity or IT professional whose organization has fallen victim to an MFA fatigue attack, then you should initiate an investigation and incident response action. Your organization should have plans in place for what to do if an identity with access to your network is compromised. Likely first actions would be to change the username and password, and cut off all access for the user who fell victim to the attack. However, you have to assume that the attacker has successfully moved laterally or established another mechanism for accessing your environment in the meantime.
If you, as an end user, have already accepted a push notification that originated from a login attempt you didn’t try, you should report that to your organization’s cybersecurity or IT team as soon as possible.
The State of MFA Today
MFA works to prevent cyberattacks, but only if you actually deploy it. This is nontrivial for many organizations. Cybersecurity is always a process of identifying priorities and risks, and tradeoffs. The risk you choose to accept, transfer, or mitigate will be unique to your organization’s budget, your needs, your critical assets, and ultimately how your business works. But for almost every organization, rolling out MFA is going to be a good investment.
To learn more about how Xage delivers MFA for remote access, and multi-layer MFA to protect every asset, device, user, and piece of data in your environment, read our related assets below.
