MFA Fatigue: How criminals bypass multifactor authentication
It is increasingly clear that, no matter the strength and complexity of passwords, they are simply no longer a secure means of authentication. The time has come for an "extra layer" of security to protect us from cybercrime. As such, over the past few years, industry experts have come out strongly in favor of multi-factor authentication – also known by various other names and acronyms, like dual authentication, two-factor authentication, MFA, 2FA, etc.
What we mean is an additional step in the authentication process, when an Internet user enters a randomly generated code received via SMS or a dedicated app. In the corporate world, identity management solutions make it even easier: simply confirm the login attempt through a push notification that pops up on your smartphone.
However, a novel scam is now jeopardizing the security of multifactor authentication: we are talking about an attack called MFA Fatigue, also known as MFA Bombing or MFA Spamming, that has many experts on alert due to its recent success. It was employed to hijack legitimate employee accounts of major corporations throughout 2022. And with its increasing popularity, raising employee awareness has become critical.
Notification Spam
The word "fatigue" is rather apt in describing this new scam: it is designed to wear victims down. To stage the attack, a criminal first needs the target's login credentials, usually obtained through data leaks or phishing campaigns. Next, multiple authentication requests are sent repeatedly within a short space of time, creating a spam wave of double authentication requests on an employee's mobile device.
The idea is that the victim quickly gets annoyed with so many authentication request notifications that, after a few hours, and assuming that the multifactor authentication system must be bugged, the user simply clicks "Allow" to stop any further notifications. And there you have it: following a wave of automated insistence and getting under the target’s skin, the bad actor finally managed to crack the two-step login barrier – and the account owner walked the cybercriminal through the door.
Is there a solution?
Although attempted attacks of this type skyrocketed in 2022, take a deep breath and remember that, at the end of the day, there are simple measures you can adopt to mitigate (or at least complicate) the efforts of cybercriminals. Information security teams, for example. can simply create a rule in their identity and access management solutions that blocks further notifications after a certain amount of authentication requests are denied, thereby preventing fatigue.
Of course, employees should also be trained to understand that that avalanche of notifications may not be a system error, but a bad actor attempting to invade an account. If you think that may be happening to you, the best thing to do is to immediately contact the information security team, which will take the appropriate steps to safeguard your credentials.