MFA, particularly through SMS messaging, has become essential to our digital defence systems. However, as with any often-used process, people might become fatigued, and bad actors take advantage of this. They’ve leveraged our annoyance with continuous MFA prompts, creating a new type of cybersecurity danger dubbed ‘MFA fatigue.’

MFA fatigue occurs when users yield to numerous MFA requests through SMS and complete the verification. They frequently do this to remove unwanted queries, erroneously supposing it’s a system malfunction or simply out of habit. This surrender opens the door for attackers.

The rising adoption of MFA fatigue by hostile actors demonstrates the effectiveness of exploiting MFA fatigue. The attacks are increasing because they work, taking advantage of our all-too-human proclivity for repetitive responses. A recent hack in Uber’s corporate network provided a dramatic example of such an attack.

In the case of Uber, an attacker hammered an employee with MFA prompts for nearly an hour. Then, posing as the company’s IT team, they contacted the employee directly via WhatsApp with an official-looking request. The employee was instructed to accept MFA requests to cease the bombardment, and when they did so, the attacker evaded authentication and expanded the breach.

It should be noted that this type of attack necessitates the attackers having prior knowledge of the victim’s login credentials. This might be from a previous breach or the dark web, emphasising the significance of adopting unique, strong passwords that are constantly updated.

The experience of Uber with MFA fatigue emphasises the importance of human elements in cybersecurity defences. It serves as a reminder of the need to inform employees and contractors about evolving threats. While technology provides powerful defences, our understanding and behaviour ultimately play a critical role in sustaining a solid security posture.

Understanding potential weaknesses such as MFA fatigue becomes even more important as we rely on MFA to secure our digital lives. Addressing this requires striking a balance between security and usability, which is the new challenge that cybersecurity strategists must rise to face.