What is MFA Fatigue and how it can effect your business
MFA Fatigue is a social engineering attack where repeated push notifications are sent to users in the hope that with the constant barrage of multifactor authentications the users click accept which then allows attackers into their accounts.
Multifactor authentication is a means of adding another layer of security to users accounts, which could be their personal or work accounts. By sending repeated push notifications the cyber criminals prey on users’ boredom or frustration of having to accept so many multifactor popups, sometimes multiple times a day depending on how many accounts and applications a user has access to. The ‘Fatigue’ sets in when users just press accept to rid themselves of the tirade of notifications
What are the dangers of MFA Fatigue
When a user accepts a fake multifactor prompt, it gives intruders access to their account. This can lead to a host of attacks within your companies’ systems, be it phishing emails being sent out to clients and forwarders being set up. These attacks can become as dangerous as admin accounts being hijacked, services being purchased under billing accounts, being locked out of your companies’ network and or email/CRM system.
How to fight against MFA Fatigue
Least Privilege
Always use least privilege when setting up and maintaining user accounts, only give people access to what they require to complete their job role. For administrative accounts, do not use these as daily usage accounts (as recommended by IASME) to limit the risk of these accounts being attacked and the damage they could do.
Conditional Access
Setup Conditional Access where possible, change the frequency of prompts from every day to every 7 days if it suits your organization.
Explore the option of not requiring Multifactor when in certain locations (i.e in the office)
M365 Authentication app for Microsoft Services
For Microsoft services using the Microsoft authentication app is the most secure way to protect accounts, no longer does it just send you a push notification but you receive a prompt to type in the number on your screen, this is something only the user will be able to see or not see if it is the case of them being spammed with authentication requests.
Training
Run regular training sessions to remind users to be vigilant and alert and keep good password policies in place.
