Multifactor authentication (MFA) is a staunch defense against malicious activity. Any user accessing a corporate network and corporate resources should be required to present more than one type of authentication. Firms across the industry have adopted MFA as another line of defense against a breach.  

But as fast as industry cybersecurity evolves, so do hackers’ strategies. A tactic called MFA fatigue is being used with increased frequency. And why not? These attacks have low complexity and high success.  

cyber operations secure your attack surface now

How MFA Fatigue Works 

MFA fatigue relies more on exploiting human nature than on sophisticated technology. Socially engineered situations prey on trust and create urgency through authority cues to coax users into giving information that allows access to a corporate environment.  

Users who log in with MFA may receive a push notification with authentication prompts. Criminals can use that push notification to their advantage. Using stolen credentials, they log in to a system, then bombard the user with urgent requests to approve that login. The goal is to overwhelm or annoy the user until they either inadvertently approve the request or approve it out of frustration.   

That annoyance is MFA fatigue, a critical element of phishing, including email, voicemail (vishing), and text messaging (smishing).   

Suppose the user doesn’t acknowledge the alert. In that case, the hacker escalates and uses another app (e.g., WhatsApp or Viber) or a phone call to contact the user and pose as a legitimate entity, like a company IT representative. This bit of social engineering is critical.   

Humans tend to go along with requests when initiated by someone we trust. Because the user trusts the IT department, they will approve the MFA prompt believing they’re doing the right thing.  

Hackers use the access they just gained to move through your systems, steal data, and take control of more systems. 

MFA Fatigue in the News 

Uber suffered a breach when criminals obtained VPN credentials and spammed an employee with MFA verification prompts via push notifications to their phone (urgency). The employee denied the verification attempts but relented when the criminal contacted the user via WhatsApp, impersonating Uber IT, and told the target to accept the prompts (trust).   

Similarly, Cisco was compromised when an employee’s personal Google account was hacked, and the hacker found Cisco credentials synced to that account. The hacker spammed the employee with MFA prompts until the employee accepted. With verified credentials in hand, the hacker logged in to Cisco’s network as the employee.   

Phishing scams and social engineering attempts can be tricky to spot because they appear to come from familiar sources. Any messages or websites seem to be the real deal and may not raise immediate red flags. It’s not unusual for criminals to up their game with company images or logos, adding to the perception that the alerts are legitimate.   

Use Education and Technology to Protect Your Users 

Avoiding an MFA fatigue attack relies on two things: recursive employee training and access to innovative approaches to ensure and maintain system resilience.

With any phishing attack, education is the first defense against an assault on your environment. Update your phishing training guides to include MFA fatigue, and survey employees to gauge their awareness and identify any knowledge gaps.

Our vCISOs hold security awareness seminars that address MFA fatigue (and what to look for), policy reviews, and risk assessments. Part of that education is reminding users to approve only notifications they’ve initiated. If they haven’t logged in anywhere but receive an alert (or repeated alerts), they should report the suspected security weakness and incident to IT.   

The second defense is using technology to thwart breach attempts. Agio has invested significantly in tools and upgraded service models that innovate and modernize the MSP model. Our extended detection and response (XDR) portfolio uses predictive intelligence to ensure your firm is truly cyber-resilient.  

Our XDR solution monitors for common attacker behavior (like actions linked to MFA fatigue), excessive login failures, logins from multiple countries, and more. Multifactor login attempts are limited to ten. Once you hit ten failed tries, the account is locked. With XDR, we also see actions attackers usually take immediately after compromising an account, so we can stop the attack before it causes harm.


While MFA fatigue attacks aren’t primarily technical, the potential for chaos and loss is high. And because of its simplicity, MFA fatigue is quickly becoming a favorite tactic for hackers. But make no mistake, any breach—regardless of sophistication—hurts your reputation and bottom line, hinders productivity, and can lead to regulatory fines.   

Protect yourself with education and engage a team with the tools to help you safeguard your systems. Our vCISOs guide you through that process, and our XDR program watches for gaps and preempts attacks. In many cases, you’ll never know criminals tried to break through to your environment.

See also  Enhancing RIA Operations: The Case for Outsourcing Managed IT Services