What is multi-factor authentication (MFA) fatigue and how do you defend against attacks?

Desktop monitor and mobile phone with hand pointing

Multi-factor authentication (MFA) is a widely used security strategy that requires the use of two or more different verification factors to authenticate the user. Unfortunately, as MFA has become more prominent across the business landscape, it’s increasingly become vulnerable to exploitation by cyber criminals thanks to MFA fatigue.

MFA is more secure than the simple combination of a username and password, adding a second authentication layer, and it’s increasingly required for all kinds of platforms from online banking to business systems. You still need a username and password, and when these are entered correctly, a message is set to your mobile phone asking you to approve the login attempt. Only when approval is given, can you log in.

What is MFA fatigue?

MFA is both easy to use and offers more protection of critical assets, meaning it’s been increasingly adopted by a number of services. In fact, it’s difficult to avoid encountering some form of two-factor authentication (2FA) or MFA in digital life.

However, everybody must now handle a growing number of push notifications and codes, and weariness is setting in. While MFA is undoubtedly more secure than not using it, the process can be tiring, where users onc only used a username and password combination locked away in a password manager. Every time a user wants to log in to their bank, for example, or online productivity suite, or their work email, they must approve their own login attempt. Having to do this can become irritating and tedious. This is what cyber criminals hope to take advantage of.

What does MFA fatigue look like?

MFA often uses a notification sent to a phone, called a ‘push notification’. It can also come in the form of an SMS code, or an authenticator app. In the case of the former, though, a message will alert the user to an attempt to log in, and ask them to ‘allow’ or ‘deny’ the login by tapping a button. Alternatively, the push notification might require biometric authentication, or a one-time passcode. Nevertheless, these button-based types of notifications are the ones that offer cyber criminals their greatest opportunities.

The frustration of push notifications piling up when the user has already gone through the first login stage in a different way – for example through their web browser – can start to feel tedious. All it takes is one person to feel so annoyed at receiving yet another notification, that they hit the approve button without really thinking about it or meaning to. This is what cyber criminals waiting in the wings are banking on.

How do MFA fatigue attacks work?

A hacker seeking access to somebody’s account can submit a username and password combination to generate a push notification to their smartphone. These credentials can be obtained in various ways including running through lists of alphanumeric combinations stored in a dictionary alongside guessed passwords, or they can use actual credentials obtained through insider leaks, theft or phishing.

As soon as the correct username and password combination is used, the push notification is triggered. This won’t happen just once. Automated hostile systems make multiple attempts, each one generating a push notification in a brute force attack. This is in the hope the victim hits the ‘approve’ button out of sheer fatigue, annoyance or carlessness.

Cyber criminals rely entirely on their victim authenticating the login attempt. While some users will be diligent all the time, hackers only needs a tiny fraction of users to grant access. In the end, MFA fatigue attacks rely on users making mistakes.

How can you defend against MFA fatigue attacks?

While MFA help keep systems secure, the vulnerability lies with users succumbing to fatigue and tapping an approval notification out of frustration. Businesses, however, can take a number of steps to minise these errors and mitigate the risks.

Give users the agency to report attacks

Firstly, let users know that receiving multiple push notifications is very likely the action of a cyber criminal, and that these notifications should be reported to the IT security team. This can make the user feel they have some agency, and allows them to take positive action.

The top 12 password-cracking techniques used by hackers

Once informed that a brute force attack is in progress, the IT security team can change the user’s password, and this will mean that a hacker no longer has a working username and password, so they can’t trigger push notifications.

Urge staff to change their passwords

It’s also wise to encourage users to change their passwords if even a single push notification shows a login attempt from an unfamiliar geographical location, or an unfamiliar device. If the user doesn’t recognise where the login attempt is coming from, it may well not be a legitimate login attempt.

Employ an alternative MFA approach

Using an alternative form of MFA, such as a code issued by an authenticator app, would avoid this issue altogether. There are a number of alternatives available to the push notification, including a one-time code delivered by text message, or biometric authentication. Setting a limit to sign-in requests that can generate a push notification might also be helpful, with systems requesting a password reset if that limit is reached.

Sandra Vogel
Freelance journalist

Sandra Vogel is a freelance journalist with decades of experience in long-form and explainer content, research papers, case studies, white papers, blogs, books, and hardware reviews. She has contributed to ZDNet, national newspapers and many of the best known technology web sites.
At ITPro, Sandra has contributed articles on artificial intelligence (AI), measures that can be taken to cope with inflation, the telecoms industry, risk management, and C-suite strategies. In the past, Sandra also contributed handset reviews for ITPro and has written for the brand for more than 13 years in total.