Almost 60% of organisations use multi-factor authentication, making it a significant stumbling block for cybercriminals. But hackers are now finding workarounds with MFA bombing attacks: attackers repeatedly push MFA requests to victims’ phones, trying to coerce them into approving one of them. In 2022, Microsoft reported more than 382,000 attacks due to MFA fatigue.
The arguably most famous MFA fatigue cyberattack is the Uber hack: attackers purchased the credentials of an Uber employee on the dark web, but their account was protected by two-factor authentication. The hacker directly contacted the Uber employee via WhatsApp, pretending to be a member of Uber’s security team, and asked the victim to approve the MFA notifications sent to their phone. Once inside, the hacker discovered Microsoft Powershell scripts containing login details of an administrator account.
Another, more blunt approach is to send countless MFA requests to the employee device, overwhelming them with notifications. In an attempt to stop the notifications, some employees simply approve them. This is why these types of attacks are sometimes also referred to as an ‘MFA fatigue attack.’
So, how can organisations stop MFA fatigue attacks? An easy step is to limit the number of MFA notifications someone can receive. A more specialised response is risk-based authentication, which analyses whether there is anything unusual about an MFA request based on factors like location, time of day, and frequency of requests. It can warn the user of the potentially malicious nature of the request or lock their account to prevent them from accepting it.
Why does this matter for businesses?
Organisations should be aware of this emerging risk, but remember that the first line of defence is a strong password policy - an MFA attack can only occur when a password has been compromised. Businesses should prioritise going back to basics and ensure they follow best practices around creating and protecting passwords.