Cybercrime: Multifactor authentication fatigue

How to defend against a persistent security attack

In recent years, multifactor authentication (MFA) has replaced two-factor authentication as the password security standard. This shift to an MFA security code, call, or text has increased network security by requiring two or more identity verification factors from users to gain access to a business’s digital network.

But cybersecurity is a game of cat and mouse, and soon after MFA’s widespread adoption, hackers developed MFA fatigue attacks—a devious and unrelenting assault on credential security that has left some of the world’s biggest companies reeling in its wake.

Key concepts

In this article, we explore:

  • What MFA fatigue is
  • Who it targets 
  • How you can prevent it

What is MFA fatigue?

MFA fatigue—also called MFA bombing or MFA spamming—is a cybersecurity fraud technique that aims to overwhelm users with verification requests. When fraudsters enter a stolen password, your MFA system sends a verification request to the target (the credential’s true owner).

If the target (your employee) approves it, the hacker gains instant access to your system. If they don’t approve it, hackers will continue bombarding employees with authentication requests for hours or even days—wearing down busy or distracted staff members until they approve a fraudulent request that gives them access to your system.

MFA fatigue succeeds by exploiting a common vulnerability of people, from CEOs to junior team members alike. The busier the user is—and the more they trust your authentication system—the more likely they are to approve one of the verification requests and compromise your network security.

Good news: Next-gen MFA tools will increase credential security.

Security experts are perfecting MFA defenses that don’t require passwords. Currently, federal agencies require phishing-resistant fraud prevention technology such as FIDO2 authentication.1 This approach replaces passwords with a fingerprint, face scan, or security key.

Good news: Next-gen MFA tools will increase credential security.

Case study: Strong security saves the day in Cisco MFA fatigue breach.

In 2022 fraudsters stole employee credentials and then attempted to bypass Cisco’s MFA security protections using voice phishing (vishing) attacks.2 That effort failed, but the criminals then launched an MFA fatigue attack that eventually succeeded, giving them initial access to Cisco’s network. Fortunately, the company’s security team detected the breach before the hackers could reach the most sensitive parts of the network. They were able to both eject the intruders and thwart attempts to regain access, but the initial danger was the result of one user’s error in approving a verification request.

6,000

MFA fatigue attacks take place each day.3

Best practices and prevention

Halting MFA fatigue hinges on training your staff and tightly managing the boundaries of your digital network. Here are a handful of tips that can help you begin to do both.

Educate team members on social engineering fraud.

Stopping credential theft is a cornerstone of MFA fatigue prevention. Educate teammates on how to identify and spot the telltale signs of social engineering fraud. This preemptively foils scammers’ ability to launch MFA fatigue attacks by eliminating their ability to steal staff credentials.

Raise awareness around MFA security red flags.

Make teammates aware that incessant verification requests, notifications at odd hours, and other unusual messages can be signs of a hacker’s attempted MFA attack. Even slight inconsistencies in notification behaviors should be treated as red flags—and reported immediately.

Keep security protocols tidy.

Passwords should be created following IT security standards, changed regularly, and never reused. Have your IT team consistently monitor sign-in activity to detect irregularities that could signal attacks. Also, direct employees to install updates for firmware, software, and security apps as soon as they become available.

Adjust MFA parameters.

Not all MFA security processes offer the same level of security. Consider adopting approaches that verify the user’s geolocation, increase the number of factors needed to gain network access, and limit the number of MFA attempts in a given period.

Vary your MFA methods.

Many MFA apps include verification methods less susceptible to fatigue. One example is MFA number matching, which provides users with a random string of digits generated by an authenticator app. The user must then select the correct number from several options offered by the network to avoid entry denial.

Consider implementing least privilege.

Least privilege places highly sensitive information like HR records and financial data under restricted access. With it enacted, only one or two people in an entire organization have the credential access to pull up certain information like bank account numbers. This means hackers can only get what they want by targeting a specific person, not just anyone.

FAQ on MFA fatigue

Component ID : "faq-1301646222"
Model : "faq"
Position : "left"

Yes, there are several. Among the stealthiest of these methods are adversary-in-the-middle attacks that use fake sign-in pages, and service desk social engineering, where bad actors trick IT support by impersonating a staff member who forgot their password.

Zero trust is a tightly controlled IT security method that demands ID verification for every user, no matter the circumstances.

Turn to professionals for protection.

To learn more about cybersecurity threats and the various types of fraud facing your organization, connect with one of Truist’s relationship managers.

Purple PaperSM

Digital Transformation

Learn how you can put advanced technology to work for your business.

Related resources

    {0}
    {6}
    {7}
    {8}
    {9}
    {12}
    {10}
    {11}

    {3}

    {1}
    {2}
    {7}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}

    Stay informed and get connected

    Looking for fresh thinking and new insights to help uncover opportunities for your business needs?

    Connect with a Relationship Manager

    Work with a partner who sees your vision and has the resources to help you achieve it. We’re ready to focus on the specific needs of your company—and where you are in your business lifecycle.

    *This form is for prospects. Truist clients should contact their relationship manager with inquiries related to commercial products and services.

    Helpful links



    Sign up for monthly articles on Business Insights

    Sign up to receive our business insights, thought leadership, and client success stories that can help inspire your next bold business move.

    Please enter a first name
    Please enter a last name
    Please enter a valid email address
    Please enter a company name
    I'm also interested in: Please select a campaign option