Multi-factor authentication (MFA) is a trusted security method used across the world. It adds an extra layer of protection beyond usernames and passwords. But cybercriminals have found a way to turn this security step into a weakness. This method is called MFA fatigue or MFA bombing.
These attacks are not technical. They rely on human error and persistence. And they are proving to be very effective.
What Are MFA Fatigue Attacks?
MFA fatigue attacks happen when a hacker sends repeated login approval requests to a user's device. The attacker tries to wear down the target by flooding them with nonstop notifications.
Eventually, the user may approve the request just to stop the annoyance. That single approval gives the attacker access to the account.
How Attackers Make It Work
MFA fatigue often starts with stolen credentials. These can come from phishing, data leaks, or dark web purchases. Once the attacker has the username and password, they try to log in.
The system then sends an MFA prompt to the victim's device.
Instead of giving up, the attacker sends prompt after prompt, sometimes dozens within minutes. They rely on the user getting tired, distracted, or curious enough to hit “Approve.”
Real-World Examples
In 2022, Uber was breached through an MFA fatigue attack. The attacker spammed an employee with push notifications and messaged them on WhatsApp, pretending to be IT support. The employee finally accepted the request.
This tactic is simple but dangerous. Even trained staff can fall for it.
Why MFA Fatigue Works
-
People are used to approving MFA prompts quickly
-
Employees may assume it’s a system glitch
-
Late-night or off-hours attacks catch users off guard
-
Some users do not fully understand what MFA approvals mean
How to Prevent MFA Fatigue Attacks
Stopping MFA fatigue is possible with smarter tools and better training.
Use Number Matching
Instead of a simple “Approve” button, number matching asks users to enter a code from the login screen into their app. This prevents accidental approvals.
Set Limits on Requests
Block repeated login attempts after a few failed tries. Rate limiting helps reduce MFA spam.
Train Employees
Teach users to report repeated MFA requests immediately. They should never approve a login they did not start.
Enable Biometric or Hardware Keys
Physical security keys or biometric authentication methods are harder to bypass and do not rely on push notifications.
Monitor for Unusual Login Behavior
Use tools that track login attempts by location, device, and time. Block suspicious activity automatically.
Final Thoughts
MFA fatigue attacks show that even the best security tools can fail without the right controls. Relying only on push-based MFA is no longer enough.
Security should not annoy users into making mistakes. With better education and smarter verification methods, companies can stay protected without overwhelming their teams.
No comments:
Post a Comment