What Is an MFA Fatigue Attack?

If your company is using multifactor authentication to prevent cyberattacks, you should know that hackers have figured out ways to get around MFA. They can use malware and Man-in-the-Middle attacks to steal your authentication codes in real-time… or they can take the easy route by launching an MFA Fatigue attack. 

Important note: MFA hacks are rare and MFA is still extremely effective for preventing attacks. If your company uses passwords, we still strongly recommend using multifactor authentication everywhere you can. 

TL;DR: MFA Fatigue attacks overwhelm users with an endless stream of authentication requests until a user mistakenly lets the hacker in by “approving” a request instead of “denying” it. Learn more from Interplay.

What Are MFA Fatigue Attacks?

In an MFA Fatigue attack, cybercriminals attempt to get your employees so sick and tired of MFA push approvals that one of them mistakenly approves a request and lets the hacker in

Here’s how it typically works

  1. A hacker steals or purchases usernames and passwords for your employees and attempts to use them to log in. 
  2. The MFA cybersecurity layer sends a push notification to the employee’s phone asking them to approve the fraudulent login attempt. 
  3. Your employee denies the request. 
  4. The hacker activates a script that sends that push notification over and over and over and over to the employee’s phone. 
  5. Your employee keeps hitting “deny.” 
  6. The hacker calls the employee or sends an email, pretending to be from IT and requesting that the employee approve the request. 
  7. The CYBERSAFE employee sees right through that ruse and keeps hitting “deny”… until their finger slips one time and they mistakenly hit “approve.” 
  8. Game Over

This may sound like an unlikely success for a cybercriminal, but it worked to breach Microsoft, Cisco, and Uber. It could work at your company too. 

How You Can Prevent MFA Fatigue Attacks at Your Company

Both your company and your users (employees) need to work together to prevent a successful MFA Fatigue attack

  • Your company should: Turn down the frequency of MFA authentication requests from your authentication software, not up. Prevent oversaturation by reducing your denial threshold to allow very few denials before lockout.  
  • Your employees should: Keep denying unrecognized requests, contact IT to tell them about strange or repetitive authentication behavior, and change a compromised password immediately to block the hacker from using it. 

Looking for a More Secure Login Solution? Try Passwordless Login.

Passwordless logins eliminate the hassle of creating, remembering, and frequently changing complex and unique passwords – thank goodness! 

Aside from their convenience, passwordless logins are more secure and eliminate the risk of falling victim to an MFA Fatigue attack. After all, if a cybercriminal doesn’t have a password to steal, they can’t use that password to prompt an MFA Fatigue attack. 

Best of all, it’s easy to try out passwordless login at your company. Let the Interplay team know when you’re ready to give it a spin.  

Reach out to Interplay for answers on passwordless login.

For 20+ years, the friendly and knowledgeable IT services team at Interplay has helped business leaders across a range of industries get more out of their tech, stress free. Not only are we always (and we mean always) happy to offer the best managed IT services, support, and advice, we’re also the team you can trust for the best cocktail recommendations here in Seattle or in Disney World – we’re versatile! All humor aside though, we’d love to help you get your IT running smoothly and securely, around the clock.