How to stop employees from accepting unsolicited MFA requests

Responding to human risk
CultureAI Team
April 10, 2023
Security Manager

Contributed by:

⚡ TL;DR ⚡
  • Multi-Factor Authentication (MFA): MFA, which requires employees to provide two or more separate forms of identification, is essential for robust cybersecurity, but improper or overused implementation can lead to MFA fatigue.
  • MFA Fatigue and Attacks: MFA fatigue can lead to security complacency among employees, making organisations vulnerable to cyber attacks. Notable instances of potential MFA fatigue attacks have involved companies like Uber, Microsoft, and Cisco.
  • MFA Spamming: Attackers can exploit MFA fatigue by mimicking legitimate MFA prompts, tricking employees into providing login credentials or approving unsolicited authentication requests. The issue lies not in MFA itself, but in its overuse and the subsequent user fatigue.
  • Preventing MFA Fatigue: Strategies to prevent MFA fatigue include employee education, balanced MFA implementation, employing adaptive MFA, streamlining employee experience, using diverse MFA methods, and conducting regular audits and feedback sessions.
  • Best MFA Practices: To maximise MFA effectiveness, organisations should layer security measures, use a variety of authentication factors, implement adaptive MFA, update and patch MFA solutions regularly, educate employees, audit MFA systems, and prioritise employee experience.

What is Multi Factor Authentication?

Multi-factor authentication (MFA) is a security mechanism that requires individuals to provide two or more separate forms of identification to verify their identity. These authentication methods typically fall into one of three categories: something you know (like a password), something you have (such as a hardware token or a mobile app), and something you are (like a fingerprint or facial recognition).

The purpose of MFA is to provide a robust security layer, making it more difficult for unauthorised individuals to gain access to critical systems or sensitive data. Even if one factor is compromised, such as a password, the attacker would still need to breach the additional layers of security. This approach is an important part of defence-in-depth strategies and is becoming increasingly prevalent as cyber threats evolve in complexity and sophistication.

What is MFA Fatigue?

Multi-Factor Authentication (MFA) fatigue is a phenomenon that arises when employees become overwhelmed or irritated by frequent MFA requests, resulting in decreased vigilance and security awareness. This fatigue often occurs in environments where MFA requests are overused or improperly implemented, leading to frustration and an increased likelihood of security errors.

While MFA is an excellent security measure, its frequent and unnecessary use can lead to complacency among employees. If they are constantly interrupted by MFA requests, employees might begin to view these security prompts as routine annoyances rather than essential security steps. Over time, this 'MFA fatigue' can lead to hurried or careless behaviour, such as automatically approving MFA prompts without verifying their legitimacy.

Moreover, MFA fatigue can also open up new avenues for cyber attackers. For example, attackers might exploit this fatigue by mimicking legitimate MFA prompts in an attempt to trick employees into providing their login credentials or approving unsolicited authentication requests. This is known as an MFA fatigue attack.

Therefore, while MFA is a critical component of modern cybersecurity strategies, it's essential that its implementation is carefully managed. MFA should not interfere with productivity or user experience to the point that it breeds frustration and complacency. Otherwise, the very tool designed to enhance security could inadvertently contribute to its undermining, making organisations more vulnerable to cyber attacks. In short, striking a balance between security and usability is crucial to prevent MFA fatigue and maintain effective defence against cyber threats.

MFA Fatigue Attack Examples

MFA fatigue attacks have surfaced in numerous high-profile cybersecurity incidents, with some cases suggesting that the exploitation of MFA fatigue was the key to the perpetrators' success. Here are a few notable instances where MFA fatigue is thought to have played a crucial role:

Uber: Threat actors managed to penetrate Uber's internal Slack server and vulnerability reports. It's believed that the attackers sent repeated approval requests to a contractor, capitalising on MFA fatigue to gain access. Thanks to the company's prompt response, the impact of the attack was reportedly limited.

Microsoft: Tech giant Microsoft fell victim to a significant data breach allegedly conducted by the group Lapsus$. They were able to exfiltrate around 37GB of data from an internal DevOps server, compromising key components of Bing's source code and parts of Bing Maps and Cortana. While it was not explicitly confirmed, there is widespread speculation that MFA fatigue may have facilitated the initial access to the compromised account.

Cisco: An attack on Cisco's network reportedly involved a blend of voice phishing and MFA fatigue. It's suggested that the ransomware gang Yanluowang targeted an employee whose work credentials were linked with their personal Google account. Although no ransomware was deployed before the incident was detected, the hackers are believed to have pilfered approximately 3GB of sensitive data.

These examples underline the importance of addressing MFA fatigue in organisations to ensure it doesn't become an entry point for threat actors looking to exploit the vulnerabilities it can inadvertently create.

How is MFA Spamming Conducted?

Initially, the attacker needs to obtain the victim's username or email address, which can often be achieved through various phishing techniques or data breaches. Once this initial information is acquired, the attacker can initiate an MFA request, assuming the user's account is protected by multi-factor authentication.

When the user receives this unsolicited MFA prompt, they might dismiss it as a system error or a routine anomaly, particularly if they frequently encounter such requests in their daily work. This is where the concept of MFA fatigue comes into play: employees who are overwhelmed by regular MFA prompts may start to disregard their importance.

In some cases, the user might unknowingly approve the request, granting the attacker access to their account. In other scenarios, a more crafty attacker might mimic legitimate MFA requests, tricking the user into providing their secondary authentication factor, such as a temporary code or biometric data.

While MFA spamming exploits the security measure designed to enhance protection, it's critical to understand that the issue lies not in the MFA itself, but in its overuse and the subsequent user fatigue and complacency. This understanding can inform more effective and user-friendly MFA deployment.

How to Prevent MFA Fatigue Amongst Employees

Preventing MFA fatigue among employees is crucial to maintain robust cybersecurity. Here are some strategies that organisations can adopt:

1. User Education and Training: First and foremost, employees need to understand why MFA is necessary and how it protects both them and the company. Regular training sessions can keep employees updated about the latest threats and how MFA combats them. Explaining the risks of MFA fatigue and how to identify potential spamming attacks can help reduce complacency.

2. Balanced Implementation: Implement MFA judiciously. Not all systems require the same level of security. Overuse can lead to user frustration and MFA fatigue. Apply it where it matters most - like access to sensitive data or critical systems.

3. Adaptive MFA: Adaptive MFA systems adjust their requirements based on the perceived risk. For instance, employees operating from a recognised location or device might face fewer prompts, while unusual behaviour, like a login attempt from a new location, would trigger additional security checks.

4. Streamline User Experience: Simplify the MFA process as much as possible. This might include providing clear instructions on how to navigate MFA prompts, or using a streamlined system that combines steps to reduce the number of interactions needed.

5. Employ a Variety of Methods: Diversifying the types of MFA used can prevent the process from becoming monotonous and can also increase security by combining methods that compensate for each other's weaknesses.

6. Regular Audits and Feedback: Regularly review your MFA practices and take feedback from your employees. If employees are feeling overwhelmed, it might be time to adjust your approach.

Preventing MFA fatigue is not just about making employees' lives easier; it's also about maintaining an effective line of defence against cyber threats. By implementing MFA thoughtfully and educating employees about its importance, organisations can prevent fatigue and reinforce their cybersecurity measures.

Best MFA Practices

In implementing MFA, organisations must adhere to several best practices to maximise effectiveness and minimise user fatigue. Here are some key strategies to consider:

1. Layer Your Security: While MFA is a crucial part of your cybersecurity strategy, it shouldn't be your only line of defence. A layered approach that includes firewalls, anti-virus software, and secure network protocols can add additional protection.

2. Use a Variety of Authentication Factors: Mix and match the authentication factors – something you know, something you have, and something you are – to enhance security. For instance, using a fingerprint (something you are) along with a smartphone app (something you have) can create a robust security barrier.

3. Implement Risk-Based or Adaptive MFA: Instead of prompting for additional authentication every time, consider using adaptive MFA, which only prompts for extra authentication when risky or unusual activity is detected.

4. Regularly Update and Patch Your MFA Solutions: Just like any other software, your MFA solutions need to be kept up to date. Regular updates will ensure you're protected against any known vulnerabilities.

5. Educate Your employees: Make sure your employees understand the purpose and importance of MFA. Teach them how to identify and handle unsolicited MFA prompts correctly to avoid falling victim to MFA fatigue attacks.

6. Regularly Audit Your MFA Systems: Consistently review your MFA systems to ensure they are working as expected. Audits can reveal whether employees are experiencing MFA fatigue or if there are any weaknesses in the system that need to be addressed.

7. User Experience Matters: MFA should not be a hindrance to productivity. A seamless user experience with clear instructions can encourage employees to view MFA positively.

Remember, the goal of MFA is to add an extra layer of protection to your systems and data, and its effectiveness relies heavily on its correct implementation and the employees' understanding of its importance.

Want to learn more?

Find out how CultureAI can keep you and your team secure year round.
Click here