Stolen credentials can pose a major threat and give attackers instant access to a company's assets — employee data, customer data, sensitive information and financials. According to the 2022 Verizon Data Breach Investigations Report (DBIR), stolen credentials are responsible for nearly half of all cyberattacks. This is up from about 30% in 2017. The increase of stolen credentials on the dark web has made additional authentication methods vital for identity protection. The most commonly discussed is multi-factor authentication (MFA). MFA is a layered approach to cybersecurity where a user must present two or more credentials to verify that they are, in fact, who they say they are.

Previously touted as a vital security feature, MFA is not all it was once cracked up to be. Recent attacks on Uber and Twilio have shown that attackers are finding ways around it. One of the main problems with MFA? The tired person on the other side. Employees receive non-stop notifications requesting access to systems and, eventually, they give in or make a mistake.

Today’s hackers are waiting for people to make that same mistake. They deploy social engineering, spear phishing and waterholing attacks — and now push bombarding or exploiting MFA fatigue. In an MFA-fatigue attack, the hacker already has the victim’s username and password, which they likely gained using a credential stuffing or an email phishing attack. The only thing missing is the secondary authentication step. From this point, the hackers start sending push notifications to a user’s phone or device, where the user has to press accept or deny. They keep sending it until the user typically gets fed up before accepting it to eliminate the relentless notifications. Additionally, attackers send these push notifications at the most active times of the day to catch employees off guard. Today’s hackers are adaptable and have time to "lie in wait."

Dangers of MFA fatigue

MFA-fatigue attacks are pushed at the beginning of a work day, while in a meeting, right before lunch, in the middle of the night and right before holidays — times when employees are rushed to get things done. Employees become complacent since they deal with the authenticator app potentially hundreds of times a day and they just want it to go away. Pressing accept not only makes the notifications stop, but it also gives the attacker exactly what they want.

When attackers gain access to a business system the possibilities are endless. And, if hackers get access to the right account, they can gain access to a cloud service provider or network, laterally move throughout that environment and take custody or advantage of sensitive and confidential information. Attackers can do a lot of damage and even ruin a company’s reputation with the simple push of a button.

Prevention starts with proper training

Today’s attackers take advantage of the fact that users complete authentication requests without much thought. Users get the notification, press accept and go about their business. In a perfect world, this would be fine, but the attacker complicates the process and undermines the effectiveness of MFA. That’s why today’s businesses need to do more to prevent such infiltration.

Employees need proper training to know what to look for in these instances. Users need to know how to respond, or rather not respond, and whom to notify should they get a push notification they did not initiate. IT teams may also be able to configure access rules to prevent the process from completing if a device or request does not conform with policy.

Implement the principle of least privilege

Businesses serious about protecting their assets should also go a step beyond training and implement the principle of least privilege. Under the principle of least privilege, users only have access to what they need to carry out their job. This includes applications, files and data access. Only giving employees specific access can limit the damage that an MFA-fatigue attack can incur. Of course, this takes preparation on the part of the IT team and would require developing a process to define how requests for access are handled. There should also be periodic reviews to determine how access is utilized and privileges should be updated based on job functions and usage patterns.

Companies should also implement a zero trust strategy where every device and user are authenticated and authorized. Devices and users that are not authenticated and authorized simply don’t get access. Zero trust frameworks can eliminate the risk of credential theft even if hackers have a username and password and can launch an MFA-fatigue attack. The trick here is that despite having user credentials, the attacker has no way to attest to the device identity and additional user-centric contextual information such as geographic locations, time-based policies or device-posture requirements. With these additional cryptographic verification and contextual information steps, zero trust thwarts unauthorized logins.

Today’s attackers are adaptable and evolve quickly. As users, we must also evolve and take steps to secure our identities. With the right combination of training, security policies and zero trust technology, it is possible to provide protection from any credential-based attack vector.