MFA Fatigue – It is a Real Problem

When hackers are faced with multi-factor authentication, they look for another weak spot – often it is the human being.

For example, Office 365 users are being bombarded with push notifications requesting access. After a while they just say yes to make it stop.

Now the researchers have given it a name – Multi-factor authentication fatigue.

The problem is that the attack is simple. Using a botnet, spray passwords across a big network of compromised machines to attack accounts using passwords from previous attacks. Done slowly enough, it won’t trigger the account lockout and give that the hackers have millions of accounts to try, that slow speed is really not an issue.

Just to make sure that the attackers know how to make this attack work (its pretty simple), security firm GoSecure has published proof of concept attack code.

GoSecure has suggested several ways to mitigate the threat, but it is clear that the hackers are not going to give up, so that means IT departments need to come up with a plan.

Allowing push notifications is done for convenience. This may mean that a somewhat less convenient method of MFA is going to have to be used.

Credit: Portswigger

by