What Is MFA Fatigue?

After gaining access to compromised login credentials, a hacker tricks a user into granting access to an account by repeatedly sending push notifications to approve the login. Eventually, the user approves the notification from fatigue or negligence and grants the hacker access to their account.

For example, think about when you log in to your Office 365 account. Once you enter your username and password, you’re prompted to verify the login using the Microsoft Authenticator app on your mobile device. Then, your phone displays a push notification asking you to approve the sign-in attempt. Do you think twice about approving the notification?

Hackers are always looking for new ways to access information and steal data. MFA fatigue attacks take advantage of human behavior and perception to access information. However, this type of attack is easy to recognize and prevent—you just need to keep your eyes open and alert.

In this article, we’ll show you:

• How hackers execute MFA fatigue attacks
• How to detect an MFA fatigue attack
• How you can protect yourself from MFA fatigue attacks

MFA fatigue cyberattacks exploit the human element of cybersecurity via social engineering. MFA is still a relatively new form of security, especially with authenticator apps—users aren’t familiar enough with MFA technology to recognize that an attack is even happening. It’s easy to chalk this type of attack up to a bug and keep going about your day.

To initiate an MFA fatigue attack, the hacker needs to have obtained your login credentials already. Cracking passwords is easier than you might think, especially if they’re weak. Learn more about creating stronger passwords.

Once the hacker has entered in your login credentials, the system will prompt them to approve the login via MFA. At this point, you’ll receive a notification on your mobile device asking you to approve the login. The hacker is counting on your distracted brain or habit of automatically approving logins to gain access to your account. Once you approve the login, they’re in.

In more advanced scenarios, a hacker may use an MFA auto-retry script, where the MFA sign-in is sent repeatedly until you inevitably give up and approve the login. In many cases, users think the multiple approvals are just a bug in the system and approve the login to end the nuisance.

Create a strong password

Protecting yourself from an MFA fatigue attack begins by having a strong password. Hackers can’t execute an MFA fatigue attack without knowing your username and password. For starters, we recommend using unique passwords and passphrases that have a combination of at least 14 characters, including upper and lowercase letters, numbers, and symbols. Learn how to create a strong password.

Limit MFA Attempts

Depending on the type of product, your Managed Services partner or System Administrator may be able to configure the default limits of your MFA service, limiting the maximum number of attempts allowed in a specific time frame.

Phone Sign-In Verification

For certain products, you can set up Microsoft Authenticator’s phone sign-in verification method, where a unique two-digit number is generated and must be confirmed on both sides of the authentication. Essentially, you’re adding a layer of verification instead of just relying on the approval of a push notification.

Deny Unidentified Requests

If you received a push notification and didn’t initiate the request, deny the request and change your password. Your login credentials may have been compromised.

As a technology partner, High Touch provides Cybersecurity solutions, including Security Awareness Training for employees, to help keep your business safe. Contact us to learn more about Cybersecurity for your business.