Using Multifactor Authentication? Beware of MFA Fatigue and MFA Spamming
Multifactor authentication (MFA) is an effective tool for stopping unauthorized access to networks and websites, even if passwords are compromised. Like any other security measure, though, cybercriminals and threat actors are amazingly efficient at finding ways around the defenses.
Just ask the security teams at Uber, Cisco, and Microsoft, who watched as their employee accounts got compromised even with MFA in place. A group called Lapsus$ leaked 37 gigs of source code it stole from Microsoft after an employee fell victim to what’s increasingly being called “MFA fatigue.”
So, what is MFA fatigue, and how can you prevent it? We’ll explain, but first, let’s talk about the strengths and weaknesses inherent in multifactor authentication and why you may not be as secure as you think.
MFA strengths and weaknesses
The increasing number of resources being deployed in the cloud, the move to increased use of SaaS platforms and on-demand instances, and the increase in remote and hybrid work environments create a complex infrastructure for most companies.
MFA is an essential cybersecurity tool, requiring users to validate the access request. With MFA, users enter their password and receive an authorization request through a separate channel. Usually that results in an email or push notification containing a randomly generated PIN or code for one-time use. Until the second authorization is acknowledged or the user types the PIN into the platform, the user cannot proceed with access to the site or application.
The key benefit of MFA is that hackers would not be able to access your systems even if they obtained usernames and passwords — unless they also had access to a user’s email or a physical device. Since more than 80% of cyber breaches are the result of weak or stolen passwords, MFA provides an effective additional layer of security over the traditional approach of username/password alone.
Effective, yes, but MFA isn’t a foolproof solution for protecting your systems and data. For example, in the infamous SolarWinds hack, attackers stole the private keys for single sign-on (SSO). These keys allowed them to bypass MFA altogether. More than 400 Fortune 500 companies used Orion, SolarWinds network management system (NMS) software, which put all of them potentially at risk.
Some companies still rely on multiple access passwords rather than PINs or push notifications. For example, they prompt users to prove their identity by providing answers to a series of “security questions.” This method has proven less effective as social engineering has become prevalent as a way of learning a person’s likely answers to questions such as pet names, first jobs, mother’s maiden name, and so on.
MFA can also be susceptible to:
- Man-in-the-Middle (MitM attacks) are where attackers can intercept outgoing or incoming messages, allowing them to view a user’s PIN or access code.
- Pass-the-cookie attacks are where hackers steal browser session authentication cookies and inject them into a new session to fool browsers into thinking the authenticated user is present.
- SIM swapping or SIM hijacking is where attackers collect personal information to access accounts and convince mobile phone providers to activate someone’s number on a different phone.
MFA fatigue: What it is and where does it show up?
Cybercriminals' newest attack, inducing or magnifying MFA fatigue, is almost low-tech by comparison, but it can be just as devastating to organizations if successful.
MFA fatigue may sound like a user simply getting weary of dealing with the extra steps required by MFA to access a site, an application, or data. However, the term means something entirely different. MFA fatigue is a form of social engineering used by hackers to prey on victims. MFA spamming and MFA fatigue attacks bombard users with requests to validate access attempts. Through email or push notifications, attackers overwhelm users with repeated prompts to authenticate access.
The goal of MFA fatigue attacks is not to get the user to disable MFA entirely, but rather to get the user to approve the notification (by entering their credentials) to make the incessant notifications stops. Once that happens, the attacker can use the stolen or compromised passwords to gain access.
Employees are common targets of this technique, as it is difficult for large corporations to keep track of activity across all accounts.
In some cases, attackers will follow up the repeated requests for authentication with emails pretending to be from IT support, asking them to take action.
How to secure your organization against MFA fatigue attacks
Like everything in cybersecurity, securing your organization against MFA attacks requires a layered security approach.
Deploying higher levels of MFA
Companies should review how they are deploying MFA. Security experts recommend disabling push notifications that simply ask to click to authenticate. Instead, requiring random numbers sent to a phone or a separate authentication app is more effective and makes it more difficult for attackers.
Limiting the number of authentication requests is another option. On some systems, you can limit the number of requests sent so that when employees see more than that number, they know something malicious is likely happening.
Enabling identity and access management solutions
Identity and access management (IAM) solutions also help organizations centralize and automate the management of user accounts and privileges. An IAM solution, available through Microsoft 365, provides a central platform that lets you automate account updates/adjustments, helping you keep track of employee accounts.
IAM also helps restrict lateral movement within the network by ensuring users only have access to the systems they need to do their jobs. IAM can also prevent users from escalating privileges, a common tactic of hackers who have gained access to your system. The Cybersecurity & Infrastructure Security Agency (CISA) has plenty of examples of attackers using employee accounts or exploiting software flaws to gain access and escalate privileges.
Regular end-user education
Organizations also need to provide consistent end-user education to make them aware of the latest tactics that threat actors are using. In regard to MFA fatigue, this includes educating them to be on the lookout for:
- Unexpected MFA requests
- Repeated MFA requests, especially if they did not request access
- MFA requests that come from unfamiliar locations
- Receiving emails, SMS texts, or call from someone claiming to be with your company’s IT department asking you to disable MFA for testing
The overwhelming number of data breaches are a result of human error. The World Economic Forum (WEF) study on global risks reports that 95% of all cybersecurity issues result from human errors. Hackers can compromise even the most secure environment without proper user training and reinforcement.
How MFA fatigue prevention fits into the zero-trust cybersecurity model
The goal of multifactor authentication is to make it much harder for attackers to steal credentials and use them to gain access. The best MFA solutions enforce a zero-trust approach when it comes to logins.
Strong MFA is an essential component of zero trust by adding a layer of security to access data. However, MFA is also only one layer in a comprehensive security approach. A holistic approach to zero trust across all networks, applications, and endpoints is crucial to optimizing protection.
Zero trust network access (ZTNA) requires all users and devices — inside a network’s perimeter or outside — to authenticate to gain access to networks and individual applications. Zero trust assumes a breach has occurred and takes proactive measures to limit exposure.
At a strategic level, ZTNA can establish, monitor, and maintain secure perimeters and endpoints within the network by forcing reauthentication at each endpoint or application.
The adoption of MFA can dramatically reduce the number of malicious logins. By adding another security layer, it can mitigate damage from stolen credentials. However, attackers continue to find new ways to exploit security flaws and act on human nature.
It takes a solid, comprehensive security strategy, robust identity access management, network segmentation, and end-user education to prevent attackers from launching successful MFA fatigue attacks.
Sagiss can help. As a Managed Service Provider specializing in cloud management, security, and IT. Based in Irving, Texas, we serve clients across North Texas. Contact the security specialists at Sagiss today to find out more.