MFA Fatigue or MFA Bombing - What can one do about it?

Published on October 1, 2022

Organisations across the world, over the last few years have adopted multifactor authentication to protect user identities. They have complemented standard username and password combination. The Multi factor authentication reduces the credential compromise to over 90% as per various surveys. However the cyber criminals find different ways to circumvent multifactor authentication. One of these method is to cause MFA fatigue to users and gain access to user identities and subsequently to organisation system and application access. 


MFA fatigue  

When multiple push-based authentication requests which is triggered by cyber criminals and are received in quick succession by the users in their systems (Usually mobile ) for them to approve access to application. The users typically will read the push-based authentication requests carefully for initial few request(s) and post which, might approve the access inadvertently. Once the cyber criminals get access to the identity of the user they go ahead with other actions including to make their access to organisation systems and applications permanently.


As you may have noticed some of the recent high profile organisation breaches across the world cybercriminals have utilised MFA fatigue aspect . In this article we will look at ways to address this problem at different layers. 

Prevention

  1. Devices based authentication will restrict access to organisation Internal applications/Cloud based applications to approved devices only thereby reducing the threat surface available
  2. Enabling of Zero Trust VPN instead of traditional VPN which will restrict the access to organisation network to specific applications and prevent wide range access in case of credential compromise
  3. Restricting organisation Internet facing applications which is used by employees & contractors, either hosted on-prem or cloud  to only company owned IP address including the VPN address range
  4. Passwordless Authentication/MFA with risk based authentication
  5. MFA system with Number Matching
  6. Prevent new devices registration used by employees & contractors and make it dependent on IT /security approving it with certain criteria (after the initial enrolment of users)
  7. Wherever organisation issues mobile devices for employees & contractors, only permit those devices to carry MFA application
  8. Subscribe to dark web monitoring services for identifying credential thefts and act on those reports before credential compromises happen or unauthorised access attempts are initiated
  9. Use hardware based FIDO compliant keys for Privileged User access

Detection & Monitoring

  • Application which is seeking MFA, location of access, device OS  details (which is accessing the application)  must be published to the users before users approve the access
  • Use UEBA or other technologies to monitor user sign ins
  • Enable Specific SIEM use cases to monitor and alert potential unauthorised access. Disable account if it violates certain risk criteria


User Awareness & Training

  • User awareness training to include scenarios on MFA Fatigue
  • Publish and re-emphasise to users how IT will reach out to Users to discuss any requirement or in response to users support requests. This will help to prevent Cyber Criminals who might use any channels to reach out to users and asking them to approve authentication requests
  • Notify user on all suspicious logins and build a feedback loop from the users and atleast after compromise IT/Security can take some actions

Are there any other key steps you are considering in your organisation to ward off the MFA Fatigue? Do let me know.