As businesses increasingly adopt Multi-Factor Authentication (MFA) to secure their digital assets, a new challenge emerges: MFA fatigue. This grows from the frequent and sometimes cumbersome authentication processes that users undergo daily.
Cyber attacks exploiting MFA fatigue are becoming increasingly common. In 2022, Kevin Beaumont, a cybercriminal, managed to breach Uber’s security by pestering an Uber contractor for an hour until he finally gave in and Kevin successfully gained unauthorized access.
So let’s understand the causes and consequences of MFA fatigue and explore solutions that help prevent it.
What is MFA fatigue?
At its core, MFA fatigue is a state of weariness or frustration experienced by users when dealing with MFA processes. While MFA is intended to bolster security by requiring additional identity verification steps, it can become burdensome for users if:
Prompted too frequently: Constantly being asked to authenticate can become annoying and time-consuming.
Facing complex or inconvenient methods: Methods that require multiple steps or devices can be frustrating.
Experiencing inconsistent experiences: Different systems or applications requiring different types of MFA can be confusing.
This MFA fatigue can potentially lead to negative outcomes, such as users trying to circumvent security measures, selecting weaker authentication methods, or expressing resistance to security protocols.
For example, a user logs into a service they haven't used in a while and is prompted for MFA. Due to their infrequent use or over-familiarity with verification messages, they become indifferent and inattentive to the source and appearance of the OTP or magic link. This lack of attentiveness can lead to security risks, making them vulnerable to phishing or social engineering attacks that exploit their indifference.
Over time, such frustrations add up. They create an environment where even well-intentioned users might fall victim to an MFA fatigue attack because they feel overburdened with authentication processes.
Implications of MFA fatigue
The most significant implication of MFA fatigue is that it makes organizations vulnerable to cyberattacks, where hackers exploit user weaknesses to break authentication.
Circumvention: Users might seek ways to bypass MFA, such as saving login sessions or using less secure methods, which can compromise account security.
Phishing vulnerability: Fatigued users may become less attentive to the authenticity of MFA prompts, making them more susceptible to phishing attacks.
Negative user experience: Repeated MFA requests can lead to frustration and dissatisfaction with the service or application, potentially causing users to disengage.
Increased support tickets: Frustrated users may frequently contact support for assistance with MFA issues, leading to an increased workload for IT and support teams.
Read more: Phishing-Resistant MFA Explained
How cybercriminals exploit MFA fatigue
Unlike some other cyberattacks, exploiting MFA fatigue requires extensive prior knowledge and context for cybercriminals. They need to know that an organization uses MFA, what its protocols look like, and, most critically, what credentials their targets use to log in.
MFA fatigue attacks can vary, but they usually follow a pattern like this:
Credential theft: First, threat actors must have the user’s primary login credentials (username and password), which they seize through various methods, including brute force attacks, malware, credential stuffing attacks using previously leaked databases, or exploiting security vulnerabilities in software.
Exploiting human error: Then, attackers send the user messages that mirror the service’s typical MFA prompts, attempting to coax a login by having them click on a provided link.
Gain access: Once the victim gives in and the attackers gain unauthorized access to their account they can illegitimately use, delete, or otherwise compromise sensitive data.
Attackers often send numerous messages with insidious details designed to assuage users’ concerns. For example, they might include hedging language about the auth systems being in flux, which justifies sending multiple messages. This might be paired with automation, making it easier for cybercriminals to bombard users’ inboxes and wait for them to give in.
How to prevent MFA fatigue attacks
To effectively combat MFA fatigue attacks and safeguard sensitive data, organizations can employ various preventive measures. Implementing these strategies helps alleviate the burden on users while maintaining a robust security posture. Here are a few methods to consider:
Deploying strong MFA methods
Using strong authentication methods, such as biometrics or passwordless authentication, can alleviate MFA fatigue. Biometric authentication leverages unique physical characteristics (like fingerprint or facial recognition), while passwordless authentication eliminates the need for remembering and managing complex passwords, reducing user frustration and fatigue. Besides being user-friendly, they’re also more secure.
Read more: 4 Benefits of Passwordless Authentication
Simplifying MFA processes
Standardize and simplify authentication methods across different applications to make the user experience more consistent and less frustrating.
Use a single IDaaS provider for all applications and services within your organization. This ensures that the authentication process remains the same, regardless of which application the user is accessing. Moreover, establishing uniform policies for MFA requirements, such as the frequency of prompts, session timeouts, and retry limits helps users know what to expect and reduce confusion.
Risk-based authentication
Use risk-based authentication to reduce the frequency of MFA prompts for low-risk activities.
Adopting risk-based authentication enables organizations to dynamically adjust the level of security required based on the perceived risk of each login attempt. By analyzing factors like user behavior, device information, and location, organizations can strike a balance between security and user experience, minimizing unnecessary authentication steps for low-risk scenarios.
Avoiding vulnerable methods
Organizations should steer clear of authentication methods susceptible to exploitation, like push notifications. These can be vulnerable to social engineering attacks or man-in-the-middle attacks. Instead, prioritize more secure and robust authentication approaches to prevent MFA fatigue attacks.
Educating users
Promoting awareness and educating users about MFA best practices is crucial. Organizations can provide guidance on recognizing phishing attempts, verifying the legitimacy of MFA prompts, and maintaining strong password hygiene. By empowering users with knowledge, they become more vigilant and better equipped to protect themselves against attacks exploiting MFA fatigue.
Stop MFA fatigue with Descope
The risks of MFA fatigue are real, but so is the solution. With Descope’s drag-and-drop CIAM platform, every developer can add secure yet user-friendly MFA to their B2C or B2B apps. You can create adaptive MFA flows and add strong factors like passkeys with minimal coding, reducing MFA fatigue while preserving account security.
Sign up for Descope’s Free Forever plan today to add phishing-resistant MFA to your services. Have questions about our MFA solutions? Book time with our auth experts.