‘MFA Fatigue’ is a new type of cyberattack

ImageQuest warns of MFA FatigueWe have a new term for you: MFA Fatigue.

While you may feel you are tired of the additional efforts required by multifactor authentication to log in to something, that is not the MFA fatigue of which we speak.

This MFA Fatigue is a new type of cyberattack.

When a hacker gains a password on an account set up with multifactor authentication, this attacker can now flood someone with push alerts asking for verification. Many outlets have suggested this is what happened in the latest Uber breach.

A push alert is a message on your device asking you to verify a log-in.

“The hacker appears to have stolen an Uber employee’s password first, most likely through phishing. The hacker then inundated the employee with push alerts requesting confirmation of a remote log-in to their account. When the employee did not react, the hacker contacted her over WhatsApp, pretending as an IT department colleague and expressing urgency. Eventually, the employee relented and verified with a mouse click.”     – Tech.co

As you can see in the excerpt above, the flood may have worn out the Uber employee to the point that when the hacker reached out on a different platform claiming to be a co-worker, she finally complied.

We know of a few cases where an attacker flooded someone with push notifications to approve, and out of irritation at the barrage, the person complied. In many cases, the irritated victim could stop the flood by clicking “yes” or “approve.”

If you use Microsoft Authenticator, as many of our M365 clients do, you may have noticed that a few months ago, Authenticator started asking you to type two numbers shown on your log-in screen. This is an effort to defeat MFA Fatigue.

It helps defeat the push notifications because you have to know what the code is on the screen where account access is being attempted. Since an attacker would have that screen, you wouldn’t be able to type the correct numbers to admit the hacker.

Organizations need to train employees to report numerous push attempts to their IT departments instead of just approving to stop the alerts. It can be aggravating to experience, but your team needs to recognize it as a potential attack.

We also urge organizations to use more robust multifactor authentication programs. Such programs require you to see the log-in screen and do something – such as type in corresponding numbers – rather than to click Yes or Approve.

Finally, to those of you who still resist using any multifactor authentication, you face an even greater risk of attack. Not using multifactor authentication at all is equivalent to leaving your doors unlocked.

And even if you are “just a small office no one cares about,” how much would you care if an attacker stole your customer information, accessed your bank accounts, and shut down your systems? Attackers do that too – whether you’re large or small, it’s money for them.

Can you afford that risk?


Scroll to Top