Multi-factor authentication (MFA) is one of the most important security developments of the past 25 years. It adds an extra level of security to the woefully insufficient password, protecting users the world over by ensuring only legitimate users can access their accounts. Unfortunately, as is so often the case, cybercriminals have found MFA’s weakness. Fortunately, however, all is not lost: with proper training, you can ensure your staff never fall afoul of MFA fatigue. Keep reading to find out more.
What is MFA Fatigue?
MFA fatigue attacks, also called MFA bombing or push fatigue attacks, involve a threat actor repeatedly sending authentication requests to a target user in a short period. They aim to overwhelm the target user, causing them to accidentally approve the request and allow the attacker to access their account.
Here’s an overview of how a typical MFA fatigue attack plays out:
· Compromised Credentials: The attacker gains possession of a compromised set of credentials (a username and password combination), typically through phishing or credential attacks, a previous data breach, or buying them on the dark web.
· Attempted Login: The attacker uses these credentials to try to log in to the user’s account. The login attempt triggers an MFA challenge, such as an SMS or email code, push notification on an authenticator app, or phone call.
· Repeated Attempts: Initially, the user will usually reject the MFA challenge, so the attacker will attempt to log in over and over again, triggering multiple challenges in a short period.
· Overwhelmed User: In the face of repeated MFA challenges, the victim eventually grows overwhelmed, confused, fatigued, frustrated, or even assumes the prompts are legitimate requests.
· Accepted Request: The user accepts the authentication request, granting the attacker full access to their account.
Like so many cyberattacks, MFA fatigue relies on two key ideas: the likelihood of users making mistakes when under pressure or duress and their inability to recognize the signs of an attack. Perhaps the most famous example of an MFA fatigue attack was the Uber breach of 2022, whereby the Lapsus$ ransomware gang gained access to reams of sensitive data and internal tools.
Training Users to Combat MFA Fatigue
Organizations can overcome both issues by training staff to recognize and respond to MFA fatigue attacks. The first stage of this training should explain MFA fatigue in detail, with a particular focus on how attackers rely on user fatigue and impatience to succeed.
Preventing MFA Fatigue Attacks
Remember: MFA fatigue attacks can only materialize when an attacker gets hold of compromised credentials. It stands to reason, then, that you can combat MFA fatigue attacks by ensuring your staff’s credentials aren’t exposed. Train staff to recognize and report phishing attacks and educate them on the importance of creating strong, unique passwords for each account.
Recognizing MFA Fatigue Attacks
It’s then important to ensure that staff understand and can recognize potential indicators of an MFA fatigue attack. You should impress on staff that they should be wary of:
· Multiple Requests: Receiving multiple MFA requests in a short period, especially if you haven’t initiated any login attempts, could indicate an MFA fatigue attack.
· Unexpected Timing: Staff should treat MFA requests at unusual times, such as late at night or at the weekend, as suspicious.
· Unfamiliar Devices: MFA requests from unfamiliar devices or locations are often an indication of an MFA fatigue attack.
Responding to MFA Fatigue Attacks
Your employees must know how to respond to potential MFA fatigue attacks. Impress on them that if they think a login attempt might be suspicious, they should avoid approving it, check their recent activity for unauthorized login attempts, speak to the IT department to verify its legitimacy, and change their password as soon as possible.
Reporting MFA Fatigue Attacks
You must also ensure that staff feel comfortable reporting MFA fatigue attacks. Staff being able to avoid falling victim to MFA fatigue is great, but encouraging them to report attacks can help you address the root cause of attacks and issue company-wide warnings to improve your resilience.
Consider setting up an email address, Slack or Teams channel, or web form for staff to report potential attacks. The crucial point is to assure staff that they will never be punished or disciplined for reporting an attack; this will ensure they feel safe in reporting potential MFA fatigue.
Summing Up
Ultimately, MFA fatigue attacks are a serious problem, but with proper training, your staff can fight back against them. Teach staff to recognize suspicious MFA requests -such as multiple requests within a short period, unexpected timing, and unfamiliar devices - emphasize that they should never automatically approve requests, and encourage them to report any suspicious activity, and you should be able to ward off most of these attacks. By empowering employees to recognize and respond to MFA fatigue attacks, you can significantly enhance your security posture and minimize the risk of a data breach.
About the author:
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
Website of Source: https://www.prophetsecurity.ai
Source: Story.KISSPR.com
Release ID: 1297618