View all Business
View all Cloud
View all Hardware
View all Infrastructure
View all Security
View all Software
View all Technology
Multi-factor authentication (MFA) is a widely used security strategy that requires the use of two or more different verification factors to authenticate the user. Unfortunately, as MFA has become more prominent across the business landscape, it’s increasingly become vulnerable to exploitation by cyber criminals thanks to MFA fatigue.
MFA is more secure than the simple combination of a username and password, adding a second authentication layer, and it’s increasingly required for all kinds of platforms from online banking to business systems. You still need a username and password, and when these are entered correctly, a message is set to your mobile phone asking you to approve the login attempt. Only when approval is given, can you log in.
MFA is both easy to use and offers more protection of critical assets, meaning it’s been increasingly adopted by a number of services. In fact, it’s difficult to avoid encountering some form of two-factor authentication (2FA) or MFA in digital life.
However, everybody must now handle a growing number of push notifications and codes, and weariness is setting in. While MFA is undoubtedly more secure than not using it, the process can be tiring, where users onc only used a username and password combination locked away in a password manager. Every time a user wants to log in to their bank, for example, or online productivity suite, or their work email, they must approve their own login attempt. Having to do this can become irritating and tedious. This is what cyber criminals hope to take advantage of.
MFA often uses a notification sent to a phone, called a ‘push notification’. It can also come in the form of an SMS code, or an authenticator app. In the case of the former, though, a message will alert the user to an attempt to log in, and ask them to ‘allow’ or ‘deny’ the login by tapping a button. Alternatively, the push notification might require biometric authentication, or a one-time passcode. Nevertheless, these button-based types of notifications are the ones that offer cyber criminals their greatest opportunities.
The frustration of push notifications piling up when the user has already gone through the first login stage in a different way – for example through their web browser – can start to feel tedious. All it takes is one person to feel so annoyed at receiving yet another notification, that they hit the approve button without really thinking about it or meaning to. This is what cyber criminals waiting in the wings are banking on.
A hacker seeking access to somebody’s account can submit a username and password combination to generate a push notification to their smartphone. These credentials can be obtained in various ways including running through lists of alphanumeric combinations stored in a dictionary alongside guessed passwords, or they can use actual credentials obtained through insider leaks, theft or phishing.
As soon as the correct username and password combination is used, the push notification is triggered. This won’t happen just once. Automated hostile systems make multiple attempts, each one generating a push notification in a brute force attack. This is in the hope the victim hits the ‘approve’ button out of sheer fatigue, annoyance or carlessness.
Cyber criminals rely entirely on their victim authenticating the login attempt. While some users will be diligent all the time, hackers only needs a tiny fraction of users to grant access. In the end, MFA fatigue attacks rely on users making mistakes.
While MFA help keep systems secure, the vulnerability lies with users succumbing to fatigue and tapping an approval notification out of frustration. Businesses, however, can take a number of steps to minise these errors and mitigate the risks.
Firstly, let users know that receiving multiple push notifications is very likely the action of a cyber criminal, and that these notifications should be reported to the IT security team. This can make the user feel they have some agency, and allows them to take positive action.
Once informed that a brute force attack is in progress, the IT security team can change the user’s password, and this will mean that a hacker no longer has a working username and password, so they can’t trigger push notifications.
It’s also wise to encourage users to change their passwords if even a single push notification shows a login attempt from an unfamiliar geographical location, or an unfamiliar device. If the user doesn’t recognise where the login attempt is coming from, it may well not be a legitimate login attempt.
Using an alternative form of MFA, such as a code issued by an authenticator app, would avoid this issue altogether. There are a number of alternatives available to the push notification, including a one-time code delivered by text message, or biometric authentication. Setting a limit to sign-in requests that can generate a push notification might also be helpful, with systems requesting a password reset if that limit is reached.
Getting board-level buy-in for security strategy
Why cyber security needs to be a board-level issue
Technology Ecosystem benchmark report
The evolution of the IT industry
Can't choose between public and private cloud? You don't have to with IaaS
Enjoy a cloud-like experience with on-premises infrastructure
How organisations drive employee empowerment and business results with leading digital technology
What you can achieve with a leading approach to digital work
Return of the Mac
How to speed up Windows 10
How to move Microsoft's Windows 11 from a hard drive to an SSD
ITPro is part of Future plc, an international media group and leading digital publisher. Visit our corporate site www.futureplc.com
© Future Publishing Limited, Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885
