A multi-factor authentication (MFA) fatigue attack – also known as MFA Bombing or MFA Spamming – is a social engineering cyberattack strategy where attackers repeatedly push second-factor authentication requests to the target victim’s email, phone, or registered devices. The goal is to coerce the victim into confirming their identity via notification, thus authenticating the attackers attempt at entering their account or device.
To initiate the MFA push notifications, and attacker must first login in as the target user. Thus, MFA fatigue attacks are often preceded by other social engineering attack vectors, such as phishing, to gain credentials. Stolen credentials may also be acquired from the dark web and via many other attack vectors.
Most modern MFA platforms support push-notification style authentication. After submitting their initial set of credentials – also known as their first-factor authentication – the user then receives a push notification asking them to confirm their second factor authentication, such as via the physical ownership and control of their mobile device. In theory, this allows users to authenticate their identity through a single phone notification, and often a single tap on the screen.
The prevalence of this simplified authentication architecture is what’s causing MFA fatigue attacks to grow in popularity among hacking groups. One example of a high-profile MFA fatigue attack is the September 2022 Uber breach by Lapsus$, a hacking group notorious for their social engineering attacks. MFA fatigue attacks often result in the depositing of a ransomware software, taking corporate resources or sensitive data hostage in exchange for a monetary ransom.
Multi-factor authentication is a credential authentication method requiring the user to submit multiple verification methods as proof of their identity – and the authenticity of their credential access. Two-factor authentication (2FA) is one common type of MFA that requires two factors for authentication.
Initial authentication for MFA typically begins at a login interface. After supplying proof of identity (the first factor), such as a username and password, the user is prompted to further authenticate their identity via at least one other factor before being granted access to the resource. These authentication factors can range from a second password or PIN, biometric data, a GPS or network location, or an object or device in the physical possession of the user, such as a mobile device or a security card. In modern MFA configurations, the latter is the most common.
Upon logging into an application, system, or single sign-on portal, users are sent a push notification to their authentication device. For most users, this push notification comes from an application installed on their personal or work mobile device, or a call or text confirmation to their phone number. This is the area of exposure that MFA fatigue attackers aim to exploit.
Multi-factor authentication requires the verification of two or more factors to authenticate an identity.
The three categories of authentication factors are:
Authentication elements only you as the owner of your identity would know. This may include an additional password (beyond the initial login sequence), a personal identification number (PIN), or an additional security question (e.g., what street you grew up on, the name of your first pet).
Authentication elements only you as the owner of your identity would possess. This typically consists of an additional device (e.g., mobile phones, tablets). Security keys, tokens, or cards are also used in higher security environments.
Authentication elements only verifiable with your own body. Inherence-based factors may include fingerprints, thumbprints, or handprints. They may also include facial recognition, eye-recognition (via retina or iris scans), or voice recognition.
An MFA fatigue attack may attempt to force the verification of one or all three authentication factors. Aggressively soliciting a response from the identity owner, a fatigue attack relies on the owner buckling to the pressure and authenticating the attacker’s login attempts.
Typically, the multi-factor authentication fatigue attack chain unfolds as follows:
Unlike many other attack methods, an MFA fatigue attack begins with user information already available. The attacker will typically have access to a victim’s username, password, or recovery credentials. This might be sourced from preliminary attacks (such as phishing or social engineering) or may have been exposed credentials from a larger breach. Often, stolen information can be purchased off the dark web.
The attackers then use the illicitly gained credentials to sign-in to a target’s account or device secured by push multi-factor authentication. Typically, the attacker will attempt to activate the authenticating application’s push notifications in quick succession. These push notifications can occur over email, text message, or desktop notification, but are generally pushed to the user’s authenticated mobile device.
The victim will now rapidly receive push notifications as the attacker attempts to overwhelm them. The attacker’s goal is for the victim to push “Yes” and confirm their identity, permitting the attacker to venture further into their account or device. Often, a victim will push “Yes” in the hopes of stopping the notifications from occurring. The victim may think it’s a simple application malfunction or a test, or just want the notifications to end out of annoyance.
The attacker may also pose as a tech support employee, contact the victim, and then attempt to explain that the push notifications are part of a normal maintenance procedure. This is similar to what reportedly happened in the Uber breach by Lapsus$, where an external contractor was contacted via WhatsApp and goaded into authenticating his credentials.
Unfortunately, no authentication method or credential verification system is completely bulletproof. The reality is that threat actors are always hunting for new ways to squeeze themselves into sensitive resources and systems.
Though multi-factor authentication is essential for boosting protection of identities—particularly privileged identities, threats like MFA bombing attacks expose some clear security gaps. The most glaring of these include:
Here are some best practices for securing against MFA and other credential-based attacks – and cyberthreats in general.
To proactively prevent MFA fatigue attacks, the most direct course of action is to optimize the configuration of your MFA authentication processes. Enhance MFA security and oversight by implementing the following:
High quality and frequent user education is often the best blanket defense — especially when it comes to social engineering attacks. Train users, third-party contractors, and vendors who operate within your resources about your security protocols and how to detect attempts at social engineering.
Training not only helps users flag unsolicited push notifications, but also helps ensure they better protect their credentials in the first place so a threat actor is unable to use them in an MFA fatigue or other attacks.
Passwords inherently represent a security risk; they’re easily shared, stolen, or forgotten. Because MFA fatigue attacks (and most other cyberattacks) begin with compromised or stolen passwords, utilizing additional modern security frameworks beyond multi-factor authentication alone is vital.
In a corporate IT environment, a Zero Trust approach (as defined by NIST SP 800-207) effectively eliminates trust-based authentication. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before establishing a session to an enterprise resource.
For web-based access, FIDO2 authentication eliminates password-only logins, replacing them with possession-based credentials stored on a personal device and verified with biometrics, PINs, or multi-device verification steps. Login credentials are unique to each website, only stored locally, and cryptographically secured.
Least privilege is the principle and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform legitimate functions. For cyberattacks like an MFA fatigue attack, least privilege access effectively restricts a malicious actor’s movements from a point of ingress. If a compromised account lacks admin rights altogether, it drastically reduces the attacker’s ability to access large amounts of sensitive data or deploy a malware payload.
Systems hardening is a collection of tools, techniques, and best practices to reduce vulnerability in technology applications, systems, infrastructure, firmware, and other areas. The goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface
You harden a system by reducing the “attack surface,” the combination of all the potential flaws and backdoors in technology can be exploited by threat actors.
For attacks like an MFA bombing, systems hardening protocols can help eliminate stagnant credentials from falling into the wrong hands. System hardening also ensures that all security resources, software, and firmware are up to date with the latest patches and free from any exposed vulnerabilities.
Threats to your organization and your employees are only going to grow in complexity – and competency. One of the best ways to proactively combat attackers is to minimize vulnerability risks before they become full-blown attack vectors.
Vulnerabilities are generally defined as weaknesses or exposures in your network, systems, or other assets. Hardware, firmware, and software all have the potential to expose vulnerabilities, and while vendors typically keep a keen eye on the patching holes in their products, the latency between a vulnerability’s detection and patch-day can often present attackers with a large window of opportunity. IT teams are then tasked with installing these patches across an increasingly distributed workforce and complex architecture, causing vulnerability patches to sometimes slip through the cracks altogether.
Vulnerability management represents the process of using technology, security strategy, and remediation techniques to detect and patch vulnerabilities in real-time. This is typically distributed among several stages: discovery, assessment, remediation, and reporting. The discovery process begins with organizing and identifying all enterprise and company assets – endpoints, applications, and everything in between. Then, the assessment process begins – this is where your team should be scanning and testing to detect any exposed vulnerabilities. Your team should now prioritize the most urgent vulnerabilities for remediation. During this stage, prioritized vulnerabilities should be corrected, quarantined, or altogether removed through patching or updates. Now that this round of vulnerabilities has been corrected, collect and report on any changes made to your ecosystem and log all activities taken along the way for an easy-to-follow audit trail.