August 3, 2023

MFA Notification Fatigue Attacks

I can still recall my first horror movie starring a werewolf. The bad news was that a scary monster was coming. The good news, there was a way to definitively stop it – just use a silver bullet!

In real life, we have scary threat actors coming after us as well. These “monsters” are ruthless in their attack methods and are unfortunately successful too many times to count. Though we have many defensive tools in our toolbox, a fan favorite has emerged – multi-factor authentication.

Multi-factor authentication (MFA), aka two-factor authentication, is a security measure that goes beyond the traditional username and password combination by requiring additional authentication factors. These are typically categorized into:

  • Something you know: passwords, PINs
  • Something you have: smartphones, tokens, smart cards
  • Something you are: biometrics such as facial recognition, fingerprints, voice recognition, retina

To successfully log in with MFA, users must provide at least two of these factors, not just the “something you know” username and password combo. A best practice is to use out-of-band (OOB) MFA, which means the user must use a separate communication channel or medium to verify a person’s identity. It would be far less effective to have a revolving PIN code on the user’s desktop if a threat actor has established remote command of that workstation. Instead, a push notification to your smart device or biometrics would be far more defensive approaches in comparison.

Your silver bullet is now in the chamber and ready to fire.

But wait, this method isn’t 100% effective? How is that possible because I am using OOB MFA and the threat actors cannot directly access my cell phone, and good luck trying to get into my offline smart watch!

According to CISA, one way to circumvent this protection is an attack method known as MFA push-bombing, a form of MFA fatigue attacks. Push bombing is a targeted MFA fatigue attack that involves threat actors sending excessive push notifications or alerts to users, hoping they will eventually accept or respond to the notifications out of frustration or exhaustion. To initiate a push-bombing attack, the threat actor has already compromised the user’s credentials (username and password). They will then begin a series of login attempts performed in quick succession to attempt to “fatigue” the user into approving the request in hopes of just making the notifications stop. Imagine all that protection at your back door only to let the werewolf simply walk in the front door! Though CISA and regulatory agencies encourage all organizations to consider implementing fatigue attack resistant MFA, many of us are just not there, yet.

In the interim, education can be your best defense when used in conjunction with your active authentication practices. Train your users about phishing and MFA fatigue attacks along with your traditional social engineering campaign. Teach them that the only time they should click accept is when they have sent the request during an actual login attempt initiated by them – with zero exceptions. Failing to accept a suspicious MFA prompt is the first goal. Then, to report these attempts to those in charge of IT infrastructure immediately.

Striking the right balance between security and usability is important. Consider implementing user-friendly MFA solutions in conjunction with robust Information Security Awareness education to help your organization mitigate MFA fatigue and ensure the protection of sensitive information without compromising user experience.

Authored by: Benjamin Caruso, CBISO

You May Want to Read More:

Cybersafe Travel - WST

July 27, 2023

Whether you are traveling for business or going on vacation, information security should always be part of the itinerary. Here are several tips to ensure you....

IT Asset Management – It helps secure your environment and saves you money! - WST

July 13, 2023

We’re going to revisit something we sent out a few years back, because it’s....

The Rockets Red Glare - WST

June 29, 2023

"10-D hopes you have an awesome 4th of July! Enjoy your time with family and friends....

Keep your institution off the evening news.


Contact Us