Multi-factor authentication (MFA) is an important part of keeping our accounts secure. Enabling MFA adds another layer of defense against account takeover. While MFA remains an important account protection tool, users should understand its limitations and the warning signs to watch for when problems arise.

An MFA fatigue attack is a social engineering tactic that has been tied to many cybersecurity incidents and breaches. The goal is to wear down the victim’s alertness and patience, leading them to approve an MFA push notification out of frustration, annoyance, or confusion. The threat actor relies on the account owner eventually approving one of the requests, thereby giving them access to devices and systems protected by the MFA application.

An MFA fatigue attack requires the threat actor to already have the victim’s credentials — possibly acquired from phishing or purchased on a dark web marketplace.

Here’s how an attack works:

• A threat actor uses a set of compromised credentials to repeatedly attempt to log into an account that is MFA protected.

• Each login attempt generates a multi-factor approval request that is delivered to the account owner (often via a mobile phone). The account owner must then either approve or deny the request.

• The attacker hopes that the recipient will get tired of the repeated requests and eventually approve the login, giving the attacker access to the account.

• In some cases, an attacker might use a social engineering attack where they impersonate IT support staff and contact an account owner directly (by phone, email, or a messaging app) to encourage them to accept a request.

• MFA fatigue attacks are more common when the authentication relies on push notifications that can be approved with the simple press of a button. An example of a push notification is a screen pop-up with a message like “a device is trying to access your account, click to allow.” MFA fatigue attacks may also be more successful against push notifications, as a victim may accidentally click and approve the login unintentionally. Using a temporary, one-time code (e.g., via Google Authenticator) to verify identity is more resistant to MFA fatigue attacks, because this type of approval likely won’t occur by accident.

How to defend against an MFA fatigue attack:

• User training and awareness: make sure users understand what an MFA fatigue attack is, how to recognize an attack, and how to use good account and password hygiene to avoid them.

• Use one-time password (OTP): using an authenticator app and typing in the one-time code slows down the attack process, giving users time to think and react appropriately. It also reduces the chance of an accidental approval.

• Limit MFA access attempts: limiting the number of times an MFA request can be generated, by locking out the user for a specific period of time after a number of attempts (say 8 or 10 tries). This type of limit shouldn’t affect legitimate users, but can reduce the likelihood that an automated attack will succeed.

Because the attack relies on the attacker already having valid credentials, the best defense starts with good account practices:

• Requiring strong and unique passwords for each account.

• Have users complete a password change if there is a suspected compromise.

• Educating users to be aware of attacks such as shoulder surfing, not writing down passwords, and using a password manager.