What are MFA fatigue attacks, and how can they be prevented?

April 2024 Information Security

During an attack on Uber’s IT systems in 2022, the hackers did not use any sophisticated tactics to gain access. Instead, they bombarded an employee with repeated login requests until, out of sheer frustration, the employee approved one. “This type of cyberattack is known as an ‘MFA fatigue attack’ and poses a real risk to organisations,” says Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 Africa.

“MFA fatigue attacks, also known as prompt spamming or authentication bombing, exploit human vulnerability, rather than relying on high-tech hacking methods,” she explains. “These attacks involve sending continuous push notifications to a target who has already provided their username and password, aiming to irritate or confuse them into unwittingly granting the attacker access to their account or system.”

With Uber, the attacker likely bought the contractor's Uber corporate username and password on the dark web. The attacker then made repeated attempts to log into the victim's Uber account. Each time, the victim received a request to approve a two-factor login, which blocked access at first. However, eventually, and after the attacker contacted the contractor on WhatsApp claiming they were from Uber IT and that the only way to get rid of the never-ending notifications was to accept one, the contractor accepted one request, allowing the attacker to successfully log in.

Previously, cybersecurity experts believed that multifactor authentication (MFA) was a foolproof method to protect corporate IT systems from hackers. “Now we are seeing attackers finding ways around it by bombarding the victim with scores of MFA requests, or by tricking them over the phone,” says Collard. “This tactic, similar to a swarm of bees overwhelming someone, is a simple yet effective social engineering technique used by hackers. By bugging you repeatedly until you give in, malicious actors can manipulate users into approving fraudulent access attempts.”

How can you prevent it?

The best way to prevent MFA fatigue attacks in organisations is not to use push notifications. “While MFA provides an extra layer of security, it is not fool proof,” she asserts. “From a cybersecurity perspective, I would recommend that organisations disable push notifications altogether and rather use alternative verification methods.”

An example of a better verification method is number matching. This involves matching a unique code provided by the authentication app with the code displayed on the screen during the login process.

A challenge-response method is another effective way of providing additional security. This method asks a user a specific question to verify their identity or to perform a task in response to a challenge. A challenge-response method is more difficult for hackers to bypass. It can involve mechanisms like biometric authentication, in which users must scan their fingerprints or irises or use facial recognition to gain access to a network. However, both of the above are not immune against so-called ‘man-in-the-middle’ or social engineering attacks, tricking the users to hand over their OTP or response to the fraudster.

Another effective verification method is FIDO2, an open authentication standard that allows users to log in without using passwords. “You can implement FIDO2 using hardware security keys,” she explains. Typically, USB sticks store the user’s private key, while the public key is stored on the authentication server. As soon as the user enters their username and password, the system requests them to use the hardware key. “It is more resistant to phishing as it works on a challenge-response protocol and does not rely on a one-time PIN that can be intercepted.”

Mindfulness is key

As with all hacking attempts, it is crucial that users remain calm and mindful, rather than reacting emotionally. “Stay tuned into your body’s responses when dealing with potential cybersecurity threats, whether they are phishing emails or MFA fatigue attacks,” says Collard. “If something feels strange, like if the situation is putting you under undue pressure, listen to that cue and do not respond in a knee-jerk fashion. In this way, you will keep a straight head and thwart potential data breaches.”




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...
Cybersecurity in South Africa
Information Security
According to the Allianz Risk Barometer 2025, cyber incidents, including ransomware attacks, data breaches and IT outages, are now the top global business risk, marking their fourth year at the top.

Read more...
Are AI agents a game-changer?
Information Security
While AI-powered chatbots have been around for a while, AI agents go beyond simple assistants, functioning as self-learning digital operatives that plan, execute, and adapt in real time. These advancements do not just enhance cybercriminal tactics, they may fundamentally change the battlefield.

Read more...
Disaster recovery vs cyber recovery
Information Security
Disaster recovery centres on restoring IT operations following events like natural disasters, hardware failures or accidents, while cyber recovery is specifically tailored to address intentional cyberthreats such as ransomware and data breaches.

Read more...
Back-up securely and restore in seconds
Betatrac Telematic Solutions Editor's Choice Information Security Infrastructure
Betatrac has a solution that enables companies to back-up up to 8 TB of data onto a device and restore it in 30 seconds in an emergency, called Rapid Access Data Recovery (RADR).

Read more...
The rise of AI-powered cybercrime and defence
Information Security News & Events AI & Data Analytics
Check Point Software Technologies launched its inaugural AI Security Report, offering an in-depth exploration of how cybercriminals are weaponising artificial intelligence (AI), alongside strategic insights defenders need to stay ahead.

Read more...
The deepfake crisis is here and now
Information Security Training & Education
Deepfakes are a growing cybersecurity threat that blur the line between reality and fiction. These AI-generated synthetic media have evolved from technological curiosities to sophisticated weapons of digital deception, costing companies upwards of $600 000 each.

Read more...
What does Agentic AI mean for cybersecurity?
Information Security AI & Data Analytics
AI agents will change how we work by scheduling meetings on our behalf and even managing supply chain items. However, without adequate protection, they become soft targets for criminals.

Read more...
Phishing attacks through SVG image files
Kaspersky News & Events Information Security
Kaspersky has detected a new trend: attackers are distributing phishing emails to individual and corporate users with attachments in SVG (Scalable Vector Graphics) files, a format commonly used for storing images.

Read more...