Stop Saying “Yes:” How to Prevent MFA Fatigue

"Stay Secure Against MFA Fatigue" in a blue gradient superimposed over a white and grey HBS background template for Securing What Matters.

Ever get tired of approval requests whenever you try logging in to one of your accounts?

Americans have, on average, about 100 online accounts—not including the plethora of work—related accounts we each have and as more organizations shift to Multi-Factor Authentication, those approval requests aren’t slowing down anytime soon.

We’ve probably all been guilty of relaxing our guard and quickly selecting “Yes” or “Allow” on the push notification from an account as we try and log in to Instagram, Fandango, or even our checking account.

That’s MFA Fatigue, and that’s what the bad guys want.

If you’ve been guilty of slightly relaxing your guard, imagine the amount of MFA relaxation going on in your organization. It’s your responsibility to ensure your employees know the dangers of MFA fatigue, so let’s dig in as we explore it and then learn how to fight back.

A phone with a MFA push notification pop up featuring a red x and green check mark. This highlights the need to stay vigilant and not succumb to MFA fatigue.
What Is MFA Fatigue?

MFA Fatigue is exactly what it sounds like—growing tired, annoyed, and frustrated with repeated MFA requests—but, more specifically, it’s what hackers try to exploit when they try to trick someone into approving an unauthorized login attempt by overwhelming them with MFA requests. Even though MFA is a strong—and strongly recommended—security tool, hackers are getting sneakier.

You may also hear these attacks referred to as MFA prompt bombing, MFA spamming, push bombing, authentication bombing, etc.

MFA fatigue attacks are a growing concern. In 2022, Microsoft’s Digital Defense Report estimated there were over 30,000 MFA fatigue attacks per month, a staggering number.

MFA Fatigue Attack Example

These attacks haven’t slowed down or let up. The Kremlin-backed hacker group Fancy Bear, along with Lapsus$, are two of the more well-known threat actors that have used MFA prompt bombing successfully.

One of the reasons push bombing is gaining popularity is that it doesn’t require malware or phishing infrastructure.

Another main reason? It works.

Uber, Cisco, Microsoft—all massive companies with robust security environments—all fell victim to MFA fatigue attacks. It can happen to anyone.

A hacker using a fishing rod with a victim’s username and password as bait trying to phish access to other information using MFA. This highlights the need to stay vigilant and not succumb to MFA fatigue.

How MFA Fatigue Attacks Happen

So how do attackers use MFA fatigue to gain access to an account?

It goes something like this:

  1. Hackers steal your login info: They might use phishing emails or other tricks to get your username and password.
  2. MFA overload: They use your stolen info to trigger a flood of MFA requests on your device.
  3. Hoping for a tap: You, annoyed by the constant pings and buzzes, accidentally approve the fake login.
  4. The hackers rejoice: Now that the bad actor is in your account, they wreak havoc.

It may look grim, but it’s important to realize that MFA fatigue attacks are not unstoppable. These attacks often exploit human error and lack of awareness. There certainly are actions that can be taken and tools that can be used that will significantly reduce the risk to your business.

MFA Fatigue Attack Prevention

There are two main courses of action to fight against MFA fatigue attacks:

  1. Better end-user behavior
  2. Better MFA authentication methods

Let’s explore these two courses of action.

How to Fight Back Against MFA Fatigue: Train Better End-User Behavior

Your end-users are a vital component of your cybersecurity defense. A human firewall full of Individuals who are educated and vigilant about MFA fatigue attacks are one of—if not THE—best lines of defense.

These are the things to communicate to your employees:

  • Be suspicious of every request: Don’t mindlessly approve MFA prompts double-checking that you actually tried to log in before tapping “Yes.” The only way MFA works is when you pay attention! Do it, and do it right.
  • Context is king: Look for additional info in the prompt, like location or which app is being accessed. If it seems suspicious, hit “No.”
  • Fight fire with fire: Use stronger passwords and enable features like number matching.
  • Less is more: Limit the number of login attempts allowed before your account is locked.
  • Educate yourself: The more you know about MFA fatigue, and other threats, the less likely you are to fall victim. Security Awareness Training goes a long way in securing you and your organization.

Improved MFA Authentication Methods

Security teams are constantly innovating to combat MFA fatigue. Here are a few next-generation authentication solutions:

  • Time-Based One-Time Passwords (TOTPs): An algorithm generates a temporary password that changes every 30 or 36 seconds. Microsoft Authenticator and Google Authenticator are the two most popular examples of TOTPs.
  • Risk-Based Authentication: This approach analyzes login attempts and adjusts security requirements accordingly. For a trusted scenario, users would experience less friction, while suspicious attempts might require stronger verification.
  • Biometric Authentication: Fingerprint scanners and facial recognition offer a more secure alternative to traditional passwords and push notifications because they are harder to steal or replicate.
  • Fast IDentity Online (FIDO2) Authentication: This emerging standard uses public-key cryptography to create unique login credentials for each website. This makes it nearly impossible for hackers to bypass MFA with stolen credentials.

With a little awareness and some smart security practices, you can conquer MFA fatigue. By implementing a combination of strong user behavior and better MFA methods, you can keep your accounts safe and secure.

Defeat MFA Fatigue with Help from HBS

Don’t let the constant barrage of MFA requests lull you into a false sense of security. MFA fatigue is a real threat. Be mindful when approving MFA prompts, and consider implementing stronger authentication methods like biometrics or FIDO2.

If your organizational security posture isn’t where it needs to be, let HBS come alongside as your IT partner. Our security awareness training can educate your employees on MFA fatigue and many other cybersecurity threats, empowering them to make smarter security decisions.

HBS is also here to help you navigate through your MFA journey. We can help you identify which solution is right for you, we can implement that solution, and then we can manage that solution, allowing you to focus on your business goals.

Contact HBS today to learn more about how we can help you combat MFA fatigue and safeguard your organization.