While multifactor authentication (MFA) has long been heralded as an essential security measure for keeping corporate networks safe from cybercriminals, a new type of attack is exposing a critical vulnerability – human error.
Known as MFA fatigue or prompt spamming attacks, hackers are bombarding employees with an overwhelming number of login requests until they eventually accept one out of sheer frustration or confusion. This straightforward social engineering tactic exploits people’s psychological responses rather than relying on sophisticated hacking methods.
No ad to show here.
“MFA fatigue attacks exploit human vulnerability,” explains Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 Africa, a cybersecurity training firm. “These attacks involve sending continuous push notifications to a target who has already provided their username and password, aiming to irritate or confuse them into unwittingly granting the attacker access.”
A high-profile example occurred in 2022 when hackers breached Uber’s IT systems this way. The attackers likely purchased an employee’s corporate login credentials on the dark web, then relentlessly spammed them with MFA requests. Claiming to be from Uber IT, the hackers convinced the exhausted employee that approving one request was the only way to stop the barrage of notifications.
“Now we’re seeing attackers finding ways around it by bombarding the victim with scores of MFA requests or by tricking them over the phone,” Collard says of MFA’s perceived impregnability. “By bugging you repeatedly until you give in, malicious actors can manipulate users into approving fraudulent access attempts.”
Preventing MFA Fatigue Compromise
To prevent such attacks, Collard recommends organisations avoid using push notifications for MFA entirely. “While MFA provides an extra layer of security, it’s not foolproof. From a cybersecurity perspective, I would recommend that organisations disable push notifications altogether and rather use alternative verification methods.”
Some better options include number matching, where users match a code from their authentication app to the one displayed during login, and challenge-response methods utilising biometrics like fingerprint or facial recognition. Organisations can also adopt open standards like FIDO2, which allows passwordless logins using hardware security keys.
However, Collard emphasises that no method is immune to skilled social engineering. Ultimately, “mindfulness is key” – users must stay calm and alert to anything that feels amiss, rather than reacting rashly under pressure.
As MFA fatigue attacks demonstrate, cybersecurity’s human element remains the most critical vulnerability. With hackers constantly adapting their tactics, enterprises must provide robust technology solutions and prioritise ongoing security awareness training to safeguard against both technical exploits and insidious psychological manipulation.
Read next: Cybercriminals exploit human error as biggest security flaw
