Skip to main content

What is an MFA Fatigue Attack?

MFA fatigue refers to an excess of prompts or push notifications, repeatedly spamming a victim’s phone requesting sign-in approval.

How it works:

  1. The bad actor has already stolen/gained access to the victim’s username/password credentials.
  2. The bad actor uses the credentials to legitimately log into an account protected by push MFA and repeats the log-in process multiple times in succession to generate multiple authentication requests, pushed out to the victim.
  3. The victim receives multiple “valid” push notifications over and over. (Normally to a mobile app)
  4. Eventually, the victim is overwhelmed or is burdened with this flood of MFA notifications and concedes to the “spam” out of exasperation and taps “YES, it’s me” instead of “NO, it’s not me.”

This “fatigue” technique is quite effective because it targets human knowledge and alternatively to the user being distracted or overwhelmed by the notifications, in some cases, the bombardment of notifications can be misinterpreted as a bug or confused with other legitimate authentication requests.

Mitigate Push Notification Spamming

There are also a few methods/settings that can help mitigate the fatigue strategy.

  • Configuring Service Limits – One effective way to protect your Microsoft 365 accounts against this attack is to configure the default limits of the Multi-Factor Authentication service.
  • Phone Sign-In – A user can help prevent inadvertent access to their account by using the Microsoft Authenticator’s phone sign-in verification method. This method generates a unique two-digit number that must be confirmed on both sides. This method makes it very hard for an attacker to compromise since the attacker is shown a number that must be guessed in the phone (which the attacker doesn’t have access to). This method diminishes the possibility of accidentally approving said access.

Courtesy of Microsoft

  • Disable Push Notifications as Verification Method – This is a radical move, but a quick solution to disable the use of push notifications as a verification method.

Multi-factor Authentication or MFA (sometimes referred to as 2FA) is still an excellent way to protect your accounts from bad actors trying to gain access to them. It provides a second layer of protection, along with strong passwords, by introducing another step in the process to verify the real identity of the user trying to log in. Users just need to be vigilant and NOT approve authentication requests they did not initiate, no matter how many push requests come thru.

If you want to learn more about how we can help you implement MFA/2FA for your own network, give our office a call.


Braver Technology Solutions  |
Boston 617.315.8515 | Taunton 508.824.2260 | Providence 401.484.7900

One Comment

Leave a Reply