What is MFA Fatigue?

May 13, 2024

When it comes to cybersecurity, multifactor authentication (MFA) stands out as a critical layer of defense against bad actors gaining unauthorized access to your accounts. As cyber threats become more sophisticated, it's essential to understand the vulnerabilities within MFA systems. Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet highlighting threats against accounts and systems using mobile push-notification-based MFA, shedding light on a technique known as "MFA fatigue."

What is Mobile Push-Notification-Based MFA?

Mobile push-notification-based MFA is a form of  MFA that utilizes a mobile application to authenticate users. Upon logging in with username and password, users receive a push notification on their smartphone. By approving this notification, users grant themselves access to their accounts. While seemingly straightforward, this method has vulnerabilities that bad actors can exploit.

Understanding MFA Fatigue

MFA fatigue, also referred to as "push bombing," occurs when the bad actors bombard users with continuous push notifications. This bombardment aims to overwhelm users, leading them to either approve the requests inadvertently or out of annoyance with the constant notifications. Consequently, users unknowingly grant access to threat actors, jeopardizing the security of their accounts and sensitive information.

Figures 1 and 2 show how these prompts appear in Microsoft Authenticator. (Source: CISA)

Mitigating MFA Fatigue

To address the risks associated with MFA fatigue, CISA strongly advocates for the implementation of phishing-resistant MFA methods. Phishing-resistant MFA utilizes techniques that are less susceptible to manipulation by threat actors. However, if organizations are unable to implement phishing-resistant MFA immediately, CISA recommends employing number matching as an interim mitigation strategy.

Number matching requires users to enter specific numbers displayed on the login screen into their authentication app to approve the request. This additional step serves as a deterrent against MFA fatigue, as each prompt generates a unique set of numbers, making it difficult for threat actors to exploit the system through bombardment.

Source: CISA

Best Practices

In addition to implementing number matching, organizations and users should prioritize user training and awareness. As a user, you should leverage government resources to learn how to recognize MFA spam and reporting suspicious activities promptly. Furthermore, organizations should investigate instances where users deny push notification requests, as this could indicate a compromised password.

As cyber threats continue to evolve, it's crucial for organizations to adapt their security measures accordingly. Mobile push-notification-based MFA offers convenience and enhanced security, but it's not immune to exploitation. By understanding the risks associated with MFA fatigue and implementing appropriate mitigations, organizations can bolster their defenses and safeguard against unauthorized access to sensitive information.

Please note: The content in this article comes from individual opinions and experiences. The content should not be taken as advice coming from City National Bank of Florida. City National Bank of Florida does not offer tax, legal or accounting advice.



Related Posts

Stay Connected

Sign up for our newsletter to stay up to date on banking, product and service updates!