article featured image


MFA, or multi-factor authentication, is a security technique that requires users to verify their identities by offering multiple forms of identification before being granted access to a resource such as an application, online account, website, or VPN. Rather than relying solely on factors such as username and password, MFA brings an extra layer of security by requesting the user to go through multiple sequences to have his access granted to the account.

But as security got tighter, threat actors also got more advanced. Hackers have figured out multiple ways to trick the authentication systems and users into providing access to their accounts. Today, we will tackle MFA fatigue, which has become an increasing concern in cybersecurity.

What Is MFA Fatigue?

Also known as MFA push spam, MFA bombing or prompt bombing, MFA fatigue is a strategy used by threat actors to get around the multi-factor authentication process and break into users’ accounts. Unlike other approaches of bypassing MFA, such as through social engineering, hijacking or man-in-the-middle attacks, MFA fatigue follows a brute force approach to gain access to accounts. Account owners who attempt to log in using credentials that have been stolen, leaked, or guesstimated are repeatedly prompted to confirm their identity. Until they make a mistake, become psychologically exhausted, or the assailant leaves, this barrage continues.

This tactic has proven to be successful for groups such as Lapsus$ and Yanluowang, who are responsible for breaching big corporations such as Microsoft, Uber, or Cisco.

How MFA Fatigue Works

As explained previously, MFA fatigue is a strategy that relies on brute force. It can be a surprisingly effective and lucrative strategy for hackers, as more businesses are adopting multi-factor authentication. The user is bombarded by notifications until the user grants access just to make them stop. The pressure on the user is especially intense on mobile devices, as it grants threat actors 24/7 access to their victims, so they can keep the bombardment of notifications coming for days. Alongside notifications, victims may also be repeatedly notified via e-mail by the attackers, increasing the pressure of the attack on the victim.

In order to proceed with the MFA fatigue strategy, the threat actor must complete some steps. First, the threat actor has to get access to the user’s basic login info (e-mail address, username, password). Cybercriminals have a variety of methods at their disposal to fulfill this step, one of them is launching a phishing campaign to trick users into giving up this information.

After the attacker acquired the user’s basic login info, it is time for the second step, the launch of the attack. The strategy is to repeatedly spam the user with authentication prompts and hope for the person to either make a mistake or cave under the pressure of countless notifications. Such attacks are not guaranteed to succeed, since threat actors cannot force the holder of the account to confirm the login, but being a simple strategy, it can be automated and scaled up quickly, giving the attackers more chances of gaining access to accounts.

Protecting Yourself Against MFA Fatigue

The most crucial factor in preventing MFA Fatigue attacks is awareness and information. Users may be less likely to fall victim to these attacks if they are aware that they can occur.

1.     Inform Your Employees

The best way to stop an MFA fatigue attack is to make sure your staff knows what to look out for and how to respond to the situation. When their phone is constantly vibrating with authentication attempts, most people can easily tell that something is wrong, but they might not know what to do about it. Make sure you teach your staff not only the fundamentals of cybersecurity but also where to go for help.

2.     Resilient Authentication

MFA fatigue uses a few key weaknesses in the way organizations are setting up their multi-factor authentication process. Businesses may lower the risk of being the victims of MFA fatigue by implementing some extra security measures, such as limiting the amount of sign-in attempts or implementing a confirmation signal, such as a PIN. Any attempts to persuade a user to enter these numbers into their authentication app should be instantly seen as suspect, especially if that login attempt is coming from another country. This is because only the person logging into the account will be able to view these numbers. This method is already implemented in companies such as Microsoft or Google.

3.     Disable Push Notifications

This attack technique is made possible by the fact that push notification requests are made with the least amount of user friction possible, allowing a user to rapidly click “yes/allow” on a request. In order to strengthen security, most MFA providers let you eliminate push notification requests as a verification mechanism and utilize challenge & response or time-based one-time password verification instead.

4.     Improve Your Security

In order to have your company fully secured, the emphasis should also be directed toward strong, all-encompassing cybersecurity strategies. Heimdal®’s Privileged Access Management includes one of these options, which is zero trust (“never trust and always verify”). The solution considers any individual and device attempting to connect to a network as a possible threat. MFA can be one component of the zero-trust security model, but definitely not the only one.

Heimdal Official Logo
System admins waste 30% of their time manually managing user rights or installations

Heimdal® Privileged Access Management

Is the automatic PAM solution that makes everything easier.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Wrappin’ Up

As I have explained previously in the article, the ways in which threat actors operate are getting more sophisticated, and automatically this leads to a greater cybersecurity risk for businesses. MFA fatigue is a problem that is getting more common, as it is a fully automated and easy solution for attackers to gain unrequested access to different accounts in a business.

However, by following the recommendations and implementing a strong security system, as well as informing your employees about this current trend among threat actors, your business will be able to remain safe, even in such conditions.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.