MFA Fatigue Attack: What It Is & How to Prevent It

MFA Fatigue Attack: What It Is & How to Prevent It blog banner image

Credential theft has long been a leading cause of network security breaches, leading many organizations to implement multi-factor authentication (MFA) as a safeguard. It’s highly recommended that you enable MFA for all accounts as a best practice. However, the effectiveness of MFA depends significantly on how it’s set up because attackers are developing strategies to bypass it.

A common method attackers use involves bombarding an employee, whose credentials they’ve stolen, with relentless MFA prompts. This tactic, known as MFA fatigue attack, was notably exploited in the recent breach at Uber, which we’ll dissect later in this article.

Exploring the rising concern of MFA fatigue attack

An MFA fatigue attack is a type of social engineering cyberattack — also known as MFA bombing or MFA spamming — that occurs when attackers bombard your email, phone or registered devices with repeated second-factor authentication requests. The aim is to wear you down until you inadvertently confirm a notification, which grants the attackers access to your account or device.

These attacks typically begin after attackers have already obtained your login credentials, often through phishing or other social engineering tactics. Credentials may also be purchased on the dark web among other sources. Once they have these, attackers can initiate MFA push notifications. In a typical scenario, after you enter your first set of credentials (first-factor), you would receive a push notification to verify your identity through something you physically possess (second-factor), like your mobile phone.

The target of an MFA fatigue attack: Who is at risk?

MFA fatigue attacks can target anyone within an organization, but they are particularly effective against individuals with access to sensitive information or administrative privileges. These attacks exploit the human tendency to seek convenience over security, especially when faced with persistent and annoying security prompts. Common targets include:

  • High-level executives: CEOs, CFOs, and other C-suite executives are prime targets due to their broad access to sensitive company information.
  • IT staff and administrators: Those who manage and have privileged access to IT systems are at high risk as their credentials can provide deeper access to the network.
  • Human resources personnel: HR managers often have access to employee personal and financial data, making them attractive targets for attackers.
  • Financial officers and accountants: Individuals who handle financial transactions and sensitive financial data are targeted to gain access to banking information and transaction capabilities.
  • Customer service representatives: Employees in customer-facing roles may have access to customer personal data and systems related to user management.

Educate all employees about the risks and signs of MFA fatigue attacks to safeguard personal and organizational data. Regular training on cybersecurity best practices and implementing robust security policies can significantly mitigate the risk of such targeted attacks. Awareness and preparedness are key defenses against the growing threat of MFA fatigue.

MFA fatigue attack example

Let’s look at a real-life MFA fatigue attack example. Uber recently fell victim to an MFA fatigue attack perpetrated by the notorious hacking group, Lapsus$. This breach began when the attackers compromised the credentials of an external contractor, likely acquired via the dark web. With these credentials, the attackers incessantly triggered MFA requests to log into the Uber network. Initially, the contractor resisted these prompts, but the attackers cleverly posed as tech support over WhatsApp, coaxing the contractor into accepting the MFA prompt, thereby gaining unauthorized access.

Once inside, the attackers accessed several other employee accounts, escalating their permissions to infiltrate key internal tools like G-Suite and Slack and download sensitive internal communications and a financial tool used by Uber’s finance team. This incident is an example of a critical vulnerability in MFA systems and serves as a stark reminder of the need for constant vigilance and robust security practices to defend against sophisticated cyber threats, particularly in MFA security.

MFA fatigue attack prevention strategies

To effectively prevent an MFA attack, you need to implement robust strategies tailored to your organization’s specific needs. MFA fatigue attack prevention begins with comprehensive education and training for all team members. Educating yourself and your staff about the signs of MFA fatigue and the methods attackers use can significantly reduce the risk. From there, employ these important tactics:

  • Establish clear protocols for handling unexpected MFA requests.
  • Encourage your team to report any suspicious activity without hesitation.
  • Regularly update and review MFA protocols to ensure your defenses keep pace with evolving cybersecurity threats.

Using a security policy that limits the frequency of MFA requests reduces the chances of your employees facing a bombardment of login prompts, decreasing the likelihood of accidental approvals. You can implement additional layers of security, such as behavioral analytics, to help detect unusual patterns that may indicate an attempted MFA fatigue attack. By adopting these proactive measures, you can safeguard your data and empower your employees to contribute to the overall security of your organization.

Enhancing security protocols without overwhelming users

When planning your security strategy, it’s important to strike a balance between implementing robust security measures and maintaining user convenience. Opt for adaptive authentication methods that tailor security requirements based on the user’s context, such as their location or the security level of the device being used. This approach can significantly reduce the frequency of authentication requests when conditions are deemed safe, minimizing user fatigue and frustration.

Additionally, ensure that all changes to security protocols are accompanied by clear, straightforward guidelines and readily available support. This helps your team understand the new processes and their importance while still supporting productivity.

Expand your security beyond single measures

MFA fatigue attacks show the limitations of relying solely on one defensive strategy, much like the unpredictable nature of zero-day vulnerabilities. With NinjaOne, you benefit from a comprehensive suite of security integrations including continuous monitoring, proactive patch management, and automated IT solutions that serve as critical tools in fortifying your defenses against diverse and constantly evolving cyber threats.

NinjaOne uses a multifaceted and adaptive approach to security with NinjaOne’s endpoint security tools and RMM solutions that ensure strong IT security stances from the start. These systems not only provide secure backups and complete visibility into your IT infrastructure but also significantly reduce your risk, protecting your organization against the dynamic landscape of cyber threats.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.

You might also like

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

Watch Demo×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

Start a Free Trial of the
#1 Endpoint Management Software on G2

No credit card required, full access to all features

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).