Countering MFA fatigue demands a rethink on user authentication

Stolen user credentials are a cybercriminal’s weapon of choice for initiating data breaches. Verizon’s Data Breach Investigations Report and Google’s Threat Horizons Report highlight that credential theft is the primary method deployed by threat actors to infiltrate systems. Australian organisations need to urgently fortify their defences against this pervasive attack vector.

The most common method used to minimise the risk of credential theft is multi-factor authentication (MFA). In addition to a (hopefully) strong password or passphrase, users enter a second authentication method, such as sequence of numbers or letters — provided through a text message or from an app — that regularly changes and can only be used once. MFA has proven to be an effective method for reducing the risk of a breach should a password be hacked or a stolen password misused.

More recently, criminals have deployed a new method to try to overcome MFA. They bombard users with MFA requests until they acquiesce and enter a code. Hackers effectively wear down users or trick them until they enter the code. Dubbed ‘MFA fatigue’, this is a method that has been effectively used in many high-profile attacks.

In 2022, Uber’s systems were compromised when an attacker bombarded a user with MFA requests. The user inadvertently supplied the MFA code, which gave the attacker access to systems via the company’s secure VPN. In this case, the attacker also contacted the target on WhatsApp. Posing as tech support, they asked the person to accept the MFA request.

Once they were inside the VPN, the attacker moved laterally through Uber’s systems and was able to steal data. The hacking group that claimed responsibility for the cyber attack has used similar techniques against many other companies including Cisco and Microsoft.

The challenge for organisations is that MFA adds a step in the login process for all users. And while single sign-on tools reduce the number of times users need to enter credentials, it’s not uncommon for staff to have several different accounts for access to different systems. This can mean several different MFA requests, possibly from different MFA providers. As a result, users can become frustrated or confused and mistakenly enter a code.

In a heightened threat landscape, countering MFA fatigue is critical. The use of passkeys, where users verify their identity using something other than a password, can simplify and speed up the time to log in while boosting security. Passkeys use a biometric authentication method such as a fingerprint or facial recognition, or a device-specific PIN, and only work from an authorised device. For an attacker to compromise an account, they would need the user’s phone, tablet or computer, and their face scan or fingerprint, or the PIN. This makes it significantly more difficult for the attacker to gain unauthorised access.

Organisations should also invest time in regular education and awareness programs so users understand why they must only respond to MFA requests when they are certain they are legitimate. For many years, we have all been conditioned to press the ‘OK’ button when a dialog box appears. It is critical that users do not respond to MFA requests unless they are certain. And if they make an error, to feel safe in the organisation to report the unexpected MFA request promptly without fear of any retribution.

Organisations also need to deploy contextual awareness when a user is logging in or accessing sensitive information. If a user is working on a known device, accessing systems they use regularly during their usual work hours and from a known location, then the likelihood of their account being compromised is very low. In that case, an MFA request is probably not required. By reducing the frequency of MFA requests and embedding processes and systems to take into consideration contextual awareness, the risk of MFA fatigue is further reduced.

While MFA remains effective, highly motivated threat actors are using tactics that seek to overcome this important security tool. By educating users, investing in alternative technologies such as passkeys and only deploying MFA where the operational context demands it, the risk of MFA fatigue can be significantly reduced and cybersecurity defences enhanced.

Image credit: iStock.com/tsingha25