Multi-factor authentication (MFA) fatigue is the name given to a technique used by adversaries to flood a user’s authentication app with push notifications in the hope they will accept and therefore enable an attacker to gain entry to an account or device. This attack has been used in many high profile data breaches seen with the recent Uber attack.
What Is MFA Fatigue?
MFA fatigue is a type of attack where an adversary sends a large number of push notifications to a user in the hope that they will accept one of them and thereby enable the attacker to gain access to an account or device. This attack relies on the user being unaware of the identity of the sender and on their own willingness to accept notifications from unknown sources. In the case of the Uber breach, it is believed that the attackers were able to gain access to corporate login credentials but were then unable to access the account due to multi-factor authentication. By impersonating Uber IT and sending a large number of notifications, they were eventually able to get around this security measure.
“In a blog posted earlier this week, GoSecure described the attack as ‘simple’ given that it only requires an attacker to manually send repeated push notifications while trying log into your account.” It does require them having access credentials which could be obtained through brute force, password reuse or spraying. Once they’ve got those valid login attempts under their belt all they need now is some patience.
Multi-factor authentication (MFA) is a vital security measure for businesses, but it can also be exploited by attackers. Multi-factor authentication fatigue attacks are a serious threat and businesses need to take steps to protect themselves. Employees should be educated about the importance of not accepting unverified push notifications and suspicious activity should be reported to IT immediately. By taking these steps, you can help ensure that your business is protected against MFA fatigue attacks.