“MFA Fatigue” attacks are not new, but they are one of the fastest-growing cyber threats to both individuals and organisations. Created to counter the increased use of multi-factor authentication (MFA), these attacks are intended to wear the user down. In essence, the attack continues with multiple MFA requests until the user relents and allows an MFA push authorization in order to stop the system from repeatedly bothering the user for confirmation. It may sound simple, but it works quite well.
Candidly, MFA is one of those ‘can’t live with it / can’t live without it’ developments. It’s infuriating, but it’s also generally seen as a cybersecurity success story.
Cyber criminals are increasingly focusing – quite successfully – on ‘MFA Fatigue’ attacks, which send relentless MFA push requests to a mobile device while masquerading as the IT department or other trusted entities. Ultimately, the attackers hope to wear the user down in order to gain the authorization that is required by the system that uses MFA. And as it turns out, this approach is quite successful. Users, exasperated at the seemingly endless requests to submit a ‘push’ authentication, often relent, which is exactly what the hackers want.
It’s not easy to resist MFA Fatigue attacks but resist you must. If you receive an MFA request and you are not in the process to access an MFA protected account, your account credentials have most likely been compromised and an attacker is attempting to break into your account. If you receive the MFA request repeatedly, not only are they attempting to break into your account – they are purposefully targeting you with an MFA fatigue attack. If either of these situations occur, you must contact your IT person, or your outsourced IT managed services supplier immediately to flag the problem. Often, if it’s happening to you, it’s probably happening to others at your firm.