For the best web experience, please use IE11+, Chrome, Firefox, or Safari

What is MFA fatigue

MFA fatigue is a type of social engineering attack where malicious actors bombard a user with repeated multi-factor authentication (MFA) requests, hoping that they will approve one out of frustration or exhaustion. MFA fatigue specifically targets the human element of cybersecurity, i.e. it tries to trick the user rather than break into the system directly.

How does an MFA fatigue attack work?

Here’s how a typical MFA fatigue attack unfolds:

  1. The attacker gets their hands on the user's primary login credentials (e.g. username and password). This is a prerequisite for an MFA fatigue attack, as the attacker needs to have some level of access to trigger the MFA (multi-factor authentication) prompts. They may obtain these credentials through phishing, data breaches, malware or a vulnerability in the authentication system.
  2. With the stolen credentials, the attacker tries to log into the target system. However, the system requires MFA to proceed.
  3. The attacker generates a series of MFA requests to the target’s phone, email or authenticator app. They may do this by:

    • Submitting multiple login attempts with incorrect passwords.
    • Using automated scripts to generate MFA requests.
    • Exploiting vulnerabilities in the MFA system.
  4. The target user receives a constant stream of MFA notifications in a short period, and becomes frustrated and/or anxious. This state of mental exhaustion makes them more susceptible to committing a mistake.
  5. Out of annoyance, confusion or simply a desire to stop the notifications, the user may eventually approve one of the MFA requests.
  6. As soon as the user approves the request, the attacker gains access to the target account or system.
How does an MFA fatigue attack work?

What do hackers do after a successful MFA fatigue attack?

The MFA fatigue attack is aimed specifically at the MFA level of a layered access control system, having gained login credentials, and trying to access the systems protected. By linking together the pieces of the attack chain, the MFA bypass enables hackers to:

  • Steal personal or confidential data stored in the account.
  • Exploit vulnerabilities (or lack of additional controls) to gain access to privileged access. This would allow them to move laterally within the network and authenticate themselves to even more valuable systems/data.
  • Deploy malicious software to further infiltrate or damage the system.
  • Set up hidden access points to maintain remote control over the system.
  • Send emails or messages impersonating the user to deceive others and propagate further attacks.

Types of MFA fatigue attacks

In addition to the basic MFA attack we discussed above, there are other variations that malicious actors use to exploit human psychology and bypass MFA security. We’ll discuss some of them below:

An urgent threat

Attackers create a sense of urgency by sending MFA requests with messages like "Your account will be locked if you don't approve this request immediately." This tactic preys on the user’s fear of losing access to their account.

Masquerading as a trusted source

They disguise themselves as a trusted entity, like a colleague, manager or IT support, to convince the user to approve the MFA request. For example, “Hi, this is John from IT. We need you to approve this MFA request to update your security settings."

Timing the attack

They may time their malicious MFA requests to coincide with the user’s normal login times or during periods of high activity. This makes it more likely for the user to unknowingly approve a malicious request, as it blends in with their usual workflow.

Real world examples of MFA fatigue attacks

There are several high-profile incidents that highlight the effectiveness of MFA fatigue attacks. Here are some examples:

Cisco

In May 2022, an attacker used a combination of MFA fatigue and sophisticated vishing (voice phishing) techniques to compromise a Cisco employee’s account. The employee was bombarded with a relentless series of voice calls and push notifications for login approval. Eventually, they succumbed to the attacker’s persistence, and approved a fraudulent MFA request, granting the attacker access to the Cisco network.

Uber

In September 2022, a malicious actor stole the credentials of a contractor at Uber. They then repeatedly triggered MFA requests until the user, overwhelmed by the constant notifications, approved one. As a result, the malicious actor was able to access several of Uber’s internal systems, and even disrupt some of their services.

Apple

In 2024, Apple customers fell victim to MFA fatigue attacks. Hackers managed to bypass security measures, including CAPTCHA challenges and rate limits on the "forgot password" page, to bombard users with repeated MFA requests.

Proven methods that prevent MFA fatigue

MFA fatigue is a serious threat, but there are steps that organizations can take to mitigate the security risks. For example, they can:

  1. Use adaptive authentication
    Implement security measures that consider additional context beyond just the login attempt. This can include location, time of day, device fingerprint and behavioral analytics to identify anomalies and flag suspicious login attempts.

  2. Limit MFA request attempts
    Set a threshold for the number of MFA requests that can be sent in a short period. If this limit is reached, temporarily block subsequent requests and alert the user and IT team.
  3. Use FIDO2 authentication
    Leverage FIDO2 authentication that uses physical security keys or biometric data. FIDO2 methods are more resistant to phishing and MFA fatigue attacks, as they require physical possession or biometric verification.
  4. Educate users
    Regularly train users on the importance of MFA and the tactics used in MFA fatigue attacks. Aware users are more likely to recognize malicious MFA requests.

Conclusion

MFA fatigue is a serious security risk, but by understanding the attackers’ tactics and implementing the preventative measures outlined above, you can significantly reduce the risk of stolen data and compromised systems.