Multi-Factor Authentication (MFA) Fatigue Attacks

The more advanced and newfangled our tech gets, the more creative hackers and scammers get to take advantage of it. Multi-factor authentication “fatigue” attacks are the latest in a long line of access scams perpetrated by ne’er-do-wells around the world.

This tricky – and extremely annoying – hack attack is typically the result of a successful phishing attempt or another way of accessing your login information. And just like most cybersecurity attacks, the best way to prevent falling victim to a scam is to know what to expect.

What is an “MFA fatigue attack”?

Okay, we’ve got to hand it to the hackers here, this one’s actually pretty creative. (But that doesn’t make it any less serious.) Multi-factor authentication, or MFA, involves requiring more than just one authentication process for accessing a system. First-factor authentication, typically a username and password, has exhibited security risks in the past. If somebody gets their hands on your login info, you want extra security measures in place, right?

MFA requires someone to take additional security steps, such as approving a pop-up notification on their device, inputting a security code, or clicking a “verify now” link in an email. While these steps can sometimes be time-consuming, they’re critical to protecting your sensitive small business data. However, hackers lean into the time-consuming or “annoying” aspects of MFA to trick people into approving a sketchy authentication attempt.

Here’s how an MFA fatigue attack works:

  1. First, a hacker gains access to your username and password. This could be from a successful phishing attempt or another illegal data-gathering method. 
  2. Then, the hacker pretends to be you. They attempt to log in and thus trigger an authentication process – a pop-up on your phone or a security email, for example.
  3. Next, they do it again. And again. And again. And aga—you get the picture. By triggering gajillions of authentication processes at once, the hacker hopes to overwhelm you (or give you MFA “fatigue”) so that you’ll approve one of the authentications just to make the requests stop.

Why are MFA fatigue attacks a risk to my business?

As small business owners, we know how busy our days can be. And there’s nothing more annoying than that little notification popping up over and over again – wouldn’t it just be easier to approve the authentication and move on with your day?

Hackers and scammers rely on this fatigue to gain access to your systems. While blowing up your phone or email account, a scammer might call you posing as a tech support operative, and claim the extra authentication attempts are just a routine maintenance disruption: “Once you accept the notification, the glitch will be fixed!”

*Cue JAWS theme song here.*

Small businesses are at particular risk of cybersecurity attacks like MFA fatigue scams because the day-to-day operations of our businesses are so complex – and our teams are often so small that we’re running at a thousand miles a minute, thus more likely to approve the notifications so we can get on with our days. The best defense is knowledge – so by reading this blog, you’re already a step ahead of the crowd.

How do I prevent MFA fatigue attacks?

First, make sure you have solid MFA procedures in place. Sure, approving a pop-up or entering a security code takes a few extra seconds, but it keeps your data safe and secure. You can tighten the security of your MFA procedures by…

Updating your MFA parameters to limit the number of authentication attempts an account can have before locking itself out, add geolocation or biometric requirements (like a fingerprint or face-recognition unlock on your phone), increase the steps to authenticate a login, or flag suspicious login attempts and send them directly to your IT provider.

Restricting employee access to unnecessary accounts – make sure team members have logins only for the programs and platforms they actually use.

Investing in cybersecurity and best practices training for your employees. This is a HUGE opportunity that many small business owners overlook. By simply explaining the common security threats for small businesses, your team can be its own best line of defense.

When in doubt, leave it to the experts at GTS. If you’re not sure how to get started, we’re here to tell you we’ve got it covered. With our Remote Monitoring & Management (RMM) services, you’ve got 24/7 business protection for all of your sensitive data. Give us a call at (904) 606-6011 or email to see what defenses we can build against MFA Fatigue and other small business security risks.


Paul May