Why Security Teams Shouldn't Snooze on MFA Fatigue

Employee education, biometric and adaptive authentication, and zero trust can go a long way in strengthening security.

Candid Wüest, VP of Cyber Protection Research, Acronis

December 21, 2022

3 Min Read
Digital fingerprints
Source: Skorzewiak via Alamy Stock Photo

Bzz, bzz, bzz…  

Like a fly buzzing around your head at 3 a.m., persistent requests from multifactor authentication (MFA) fatigue attacks are keeping security professionals awake at night. However, while silenced phones may help individual users sleep a bit better at night, security professionals are having cyber-breach nightmares.  

MFA fatigue, also known as an MFA bombing attack, is a type of social engineering scheme where a cybercriminal sends multiple MFA requests — sometimes in the dead of night — in the hope of frustrating a legitimate user. In response, this user may turn off MFA, thinking it's malfunctioning, or the cybercriminal may impersonate a support employee and request the code they need to enter the user's account.  

In the case of the Uber breach this fall, the hacker group Lapsus$ employed the latter strategy. Putting their acting skills and persistence to the test, hackers stole an Uber contractor's credentials and then faked their way into jumping the last barrier protecting Uber's internal systems: a flimsy MFA text code. 

Security professionals can learn a lot from this cyber event and make several changes to their own company's policies to shore up their defenses. 

MFA Tokens Are Not the Be-All, End-All

Unfortunately, biometric authentication is as close to absolute as we're going to get. Fingerprint and facial recognition are — as of now — very difficult to replicate. Corporate security teams must encourage all employees to enable biometric authentication to every device and system that supports it. Even the savviest user can fall for phishing attempts, as they become more sophisticated by the day. Large US companies lose about $14.8 million annually to phishers. (In 2015, this figure was $3.8 million.)

To protect company coffers, in addition to valuable company information, it's best to filter out as many phishing attempts as possible with software; however, the onus is still partially on users. 

Rely on Additional Security Measures Over MFA

Leave it to cybercriminals to make security professionals rethink what they previously regarded as unbreachable. These days, it's crucial to rely on much more than MFA tokens (and even biometric authentication) alone to keep company systems safe from hackers. Alternatives include rotating access keys, only enabling the absolute minimal privileges, and sticking closely to zero-trust policies company wide. Additionally, adaptive authentication, a security protocol that asks for additional identity authentication steps depending on the situation and the user, can further strengthen entry points.  

Zero-trust and adaptive authentication are especially helpful in safeguarding an organization's most sensitive platforms. However, all it takes is for one slip-up or lapse in judgment to let a cybercriminal waltz right into a company's IT ecosystem. How can security teams defend against those? 

Proactive Threat Prevention Is Optimal

Proactive detection and real-time response are the best ways for organizations to prevent cyber threats. One step better is to combine prevention and resolution under one platform. A single pane of glass gives teams a holistic, real-time view that's essential in protecting workloads without friction. Malware, ransomware, zero-days, fileless attacks, advanced persistent threats and more phishing schemes than anyone can count are constantly circling, waiting for someone in an organization to make a mistake. A cyber-protection solution can squash a threat before it causes a leak.  

A Delicate Security Balance

While security teams may be hasty to pile on every additional security measure in existence to supplement MFA, they must not compromise too heavily on convenience. The more inconvenient and time consuming something as simple as logging in is, the more likely it is that employees will cut corners.

It's a delicate balance and a difficult one to strike. Comprehensive employee education, biometric and adaptive authentication, and zero trust can go a long way in strengthening your security perimeter. Partnering with a centralized data protection, cybersecurity, and an endpoint management solution can be the extra peace of mind IT leaders need to sleep soundly. 

About the Author

Candid Wüest

VP of Cyber Protection Research, Acronis

Candid Wüest is the VP of Cyber Protection Research at Acronis, the Swiss-Singaporean cyber protection company, where he researches new threat trends and comprehensive protection methods. He has worked for 16+ years as the tech lead for Symantec's global security response team. Wüest is a frequent conference speaker, holds a master of computer science from ETH Zurich, various certifications & patents.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights