From bridewell.com
Nobody likes to be interrupted, or asked the same question over and over again. It can be frustrating, especially when you are trying to focus on something time critical.
Though, what if, during the rush to complete that work before your time-sensitive deadline, a barrage of multi-factor authentication (MFA) prompts begin lighting up your phone? And what if that that simple tap of the ‘Approve’ button in your authenticator app allows a criminal to take over your work account, enabling them to steal data from, or conduct other nefarious acts, against your organisation?
Recently, this form of social engineering is being seen more and more by organisations who have chosen to implement multi-factor authentication to provide an additional layer of security beyond basic usernames and passwords. This type of attack method has been coined multi-factor authentication fatigue – also known as MFA fatigue.
What is Multi-Factor Authentication Fatigue?
Multi-factor authentication fatigue is a form of social engineering whereby an adversary, through automated or manual means, overwhelms a user with multi-factor authentication prompts until they approve the sign-in request. When faced with hundreds of notifications to approve logins, users approve the request assuming it’s a re-authentication request for their current session or by accident, or to simply stop further notifications, allowing the adversary to gain their account. Attempts have also been observed where adversaries have posed as a member of the organisation’s tech support, contacting the user directly to encourage them to approve the prompt.