In September 2022, a member of the Lapsus$ ransomware gang persistently sent an Uber contractor push notifications over the course of several hours. Why? The cybercriminals knew that repeated prompts might eventually lead to approval. And they were right.

The malicious hackers had initially obtained the contractor's login credentials, likely through phishing or a previous data breach, but were blocked by the Multi-Factor Authentication (MFA) requirement. To bypass this, the attacker repeatedly triggered MFA push notifications aimed at gaining access to Uber's VPN, which serves as a gateway to the company’s internal network. The contractor, feeling overwhelmed, ultimately accepted one of the prompts, which allowed the attacker to bypass Uber's security and gain access to critical internal systems. 

This breach exposed sensitive data and internal tools, causing significant disruption. Uber’s then-CEO was even found guilty of covering up the breach. However, more than anything, this attack drives home the importance of understanding and defending against this growing threat, known as an MFA fatigue attack.

As organizations continue to bolster their cybersecurity defenses, MFA has become a cornerstone in the battle against unauthorized access. By requiring multiple forms of verification, MFA significantly raises the bar for attackers. 

However, as with any security measure, MFA is not impervious to exploitation, and MFA fatigue attacks do exactly that as a psychological and technical strategy that capitalizes on human error and persistence. 

This blog delves into the mechanics of MFA fatigue attacks, their impact, and how organizations can detect and mitigate them using best practices to ensure that security operations remain resilient in the face of evolving threats.

What is an MFA fatigue attack?

An MFA fatigue attack, also known as an MFA bombing attack or push fatigue attack, is a type of cyber attack that uses social engineering tactics. It involves an adversary repeatedly triggering authentication requests to the targeted user in a short period. The constant spamming of notifications or prompts can overwhelm the user, leading them to inadvertently approve the request out of frustration, fatigue, or the assumption that it is a legitimate attempt.

How do MFA fatigue attacks work?

Initial Compromise: The attacker typically starts with a compromised set of credentials—whether through phishing, credential stuffing, or a previous data breach. These credentials may include a valid username and password but lack the second factor required for full access to a user’s account.

‍Persistent prompts: Using the stolen credentials, the attacker attempts to log in to the victim's account. This triggers an MFA challenge, such as a push notification, SMS code, or phone call. The attacker repeatedly attempts to log in, generating multiple MFA prompts in quick succession.

‍User frustration: As the victim receives numerous prompts, they may become confused, frustrated, or fatigued. In some cases, the victim may incorrectly assume the prompts are legitimate requests made by themselves or their organization’s IT department.

‍Accidental approval: Eventually, the victim may accept one of the prompts, either to stop the notifications or under the mistaken belief that it is necessary. This grants the attacker full access to the account, bypassing the security MFA was intended to provide.

Why MFA fatigue attacks are effective

Human behavior: The crux of MFA fatigue attacks lies in exploiting predictable human behaviors. People are prone to making errors, especially when under stress or when facing repetitive tasks. Attackers leverage this vulnerability, betting that persistence will eventually lead to a lapse in judgment.

‍Poor user training: Many users are not adequately trained to recognize the signs of an MFA fatigue attack. Without proper education, they may not understand the importance of verifying each MFA prompt before approval.

How to detect MFA fatigue attacks: Best practices

Detecting MFA fatigue attacks requires a combination of user engagement, proactive monitoring, and intelligent analysis. From building the right detection rules to setting up real-time alerts when unusual MFA activity is detected, it’s important to ensure that your security systems are finely tuned to recognize both subtle and overt signs of attack.

Here are some best practices that companies can implement to effectively identify these attacks. 

‍Monitor MFA prompt frequency: This is an obvious one to start with. MFA fatigue attacks rely on a high frequency of prompts to succeed. Track the number of MFA prompts sent to each user within a specific time frame and set thresholds for acceptable prompt frequencies. Generally speaking, more than 2 failed MFA attempts followed by a successful authentication in a 4-hour period should warrant a further look.

‍Analyze authentication patterns: Looking for users who are successfully logging in from new IP addresses, previously unseen devices, or via geo-impossible travel can be interesting (albeit noisy) initial signals for account takeover. These come as default with Okta behavioral detections or most enterprise SIEM solutions. Reduce the noise by:

• Paying special attention to situations where the user is logging from anonymous proxies or VPN providers, a common favorite for threat actors.
• Identifying related sessions where some form of persistence is established (user password change of an unrelated account, new MFA added, etc.). MFA fatigue is a temporary foothold that encourages threat actors to quickly maintain presence. 

‍Leverage AI and behavioral analytics: Use tools that establish baseline user behavior and detect deviations. 

‍User feedback mechanism: Encourage users to report unusual MFA activity promptly. Have an email distribution, Slack channel, or highly publicized web form that normalizes and encourages escalating security events.

How to mitigate MFA fatigue attacks: Best practices

To defend against MFA fatigue attacks, organizations need a multi-faceted approach that addresses both the technical and human elements of the threat. Here are some best practices:

• ‍Implement robust user education: Incorporate training on the dangers of MFA fatigue attacks into your security awareness training program. Emphasize the importance of never approving an MFA request they did not initiate and encourage them to report any suspicious activity immediately.
• ‍Use FIDO2 keys for sensitive users or assets: Requiring a physical security key (rather than push notification or SMS) as the second authentication factor can largely eliminate the threat of an MFA fatigue attack. This approach bolsters your access management strategy to protect against compromised accounts or unauthorized access to sensitive assets.
• Use passwordless biometric MFA, like Okta FastPass, when possible: By leveraging biometric factors (such as fingerprints or facial recognition) for authentication, you can enhance security and user convenience simultaneously.
• ‍Limit MFA prompt frequency: Organizations can configure their MFA systems to limit the number of prompts a user can receive within a specific time frame. By reducing prompt frequency, the chances of an attacker successfully conducting an MFA fatigue attack are minimized.
• ‍Use Number Challenge or similar features from your SSO solution: Instead of simply approving a push notification, require users to match a number displayed on their authentication app with one shown during the login attempt. This method ensures that the user is actively involved in the authentication process, making it harder for attackers to succeed.
• ‍Enable time-based lockouts: Consider configuring MFA systems to lock an account or temporarily suspend MFA prompts after a certain number of failed attempts within a set time period. This can instantly halt an MFA fatigue attack.
• ‍Educate on reporting protocols: Encourage users to report any suspicious or excessive MFA prompts. A clear and straightforward reporting process can help security teams detect and respond to MFA fatigue attacks before they lead to a full breach.

MFA fatigue attacks represent a sophisticated blend of social engineering and technical persistence. As attackers continue to evolve their methods, organizations must remain vigilant and proactive in their defense strategies. By understanding the mechanics of MFA fatigue and implementing a few best practices, organizations can significantly reduce their risk of falling victim to this emerging threat. In the end, the battle against MFA fatigue attacks is not just about technology—it's about fostering a culture of security awareness and resilience.

At Prophet Security, we're building an AI SOC Analyst that applies human-level reasoning and analysis to triage and investigate every alert without the need for playbooks or complex integrations. Request a demo of Prophet AI to learn how you can triage and investigate security alerts 10 times faster and protect your organization from cyber threats.

Frequently Asked Questions (FAQ)

What is an MFA fatigue attack?

An MFA fatigue attack is a type of cyberattack where an attacker repeatedly sends push-based multi-factor authentication (MFA) requests to a user in hopes that the user will approve one out of frustration or confusion. It's also known as a push fatigue or MFA bombing attack.

How do MFA fatigue attacks work?

These attacks usually begin with stolen login credentials. The attacker then attempts multiple logins, each triggering an MFA prompt. By overwhelming the user with prompts, the attacker increases the chance the user will mistakenly approve one.

Why are MFA fatigue attacks effective?

They exploit human behavior, such as stress and repetitive decision fatigue. Many users are unaware of the risks and mistakenly assume the MFA prompts are legitimate, especially if training or awareness is lacking.

What are common signs of an MFA fatigue attack?

Unusually high volumes of MFA requests in a short time, logins from new locations or devices, and user reports of suspicious authentication activity are key signs of an MFA fatigue attack.

How can you detect MFA fatigue attacks?

Monitor the number of MFA requests per user, analyze abnormal login behavior (e.g., geo-impossible logins, VPN use), set alert thresholds, and establish user reporting channels for suspicious MFA activity.

How do you prevent MFA fatigue attacks?

Use phishing-resistant methods like FIDO2 security keys, enable number matching for push approvals, limit prompt frequency, set time-based lockouts, and provide ongoing user training about MFA abuse tactics.

Are FIDO2 keys effective against MFA fatigue attacks?

Yes, FIDO2 security keys are highly effective because they require a physical device for authentication, making it nearly impossible for attackers to succeed with push-based MFA abuse.

Can behavioral analytics and AI help stop MFA fatigue attacks?

Yes, AI and behavioral analytics can detect anomalies in authentication patterns and user behavior, allowing faster identification of suspicious login attempts or unusual MFA prompt activity.

What’s the difference between MFA fatigue and MFA bombing?

MFA fatigue and MFA bombing refer to the same type of attack. Both describe a tactic where attackers send repeated MFA prompts to a user in hopes they’ll approve one out of frustration or confusion. The terms are used interchangeably in the cybersecurity industry.