{"id":7917,"date":"2023-04-03T15:55:20","date_gmt":"2023-04-03T14:55:20","guid":{"rendered":"https:\/\/amtivo.com\/uk\/standards\/\/\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/"},"modified":"2025-12-15T16:18:00","modified_gmt":"2025-12-15T16:18:00","slug":"the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat","status":"publish","type":"standard-post-filter","link":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/","title":{"rendered":"MFA Fatigue: How To Respond to Authentication Threats"},"content":{"rendered":"<p><em>Implementing some form of Multifactor Authentication (MFA) to protect user accounts has for some years been recommended as a cyber security best practice. Indeed, with credentials under constant and sophisticated attack these days, it is becoming a default in many organisations.<\/em><\/p>\r\n<p>Naturally, the attackers won\u2019t simply give up and have started to look for ways to beat MFA.<\/p>\r\n<p>MFA is a patchwork of technologies and formats, meaning each form must be undermined in different ways. The best-known example is the way a spate of SIM swap attacks turned SMS two-factor authentication (2FA) from a reliable security layer into something the U.S. Government agency famously hasn\u2019t recommended using for business security since 2016.<\/p>\r\n<h2>But What About Other Types of MFA?<\/h2>\r\n<p>An acknowledged drawback with MFA is that to gain access the user must usually do something, enter a code in addition to a password, which takes time. This affects productivity if it happens too often which, depending on how authentication policies are configured, it quickly becomes a chore.<\/p>\r\n<p>An increasingly standard solution is to implement MFA using application push notifications. This approach allows admins to set up MFA to send a confirmation pop-up to a user\u2019s smartphone asking them to authenticate access. \u00a0The advantage is that it\u2019s less intrusive than other types of MFA and therefore meets less user resistance.<\/p>\r\n<p>The underlying concept is that push notifications are sent to the user\u2019s smartphone, which is in their possession only. Problem solved? Everyone assumed so until a couple of years ago when cyber criminals started using an ingenious technique called <em>MFA fatigue<\/em> or <em>push notification spamming <\/em>to beat the system.<\/p>\r\n<h2>Compromised Credentials<\/h2>\r\n<p>A prerequisite for an MFA fatigue attack is that the criminals have compromised the user\u2019s credentials, i.e., the password. \u00a0At that point, they trigger repeated push notifications to be sent to the genuine user\u2019s account to complete the MFA process. Most users see the requests and either ignore or decline them, assuming perhaps that the MFA system has malfunctioned. Unfortunately, in a small number of cases, the repeated requests eventually wear down the user\u2019s patience and are approved.<\/p>\r\n<p>Microsoft <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-entra-azure-ad-blog\/defend-your-users-from-mfa-fatigue-attacks\/ba-p\/2365677\" target=\"_blank\" rel=\"noopener\">research suggests<\/a> that around 1% of users fall prey to push notification spamming, more than enough to make the technique worth it for an attacker. From this, we can see that while push notification MFA is highly effective it still allows users to be socially engineered in ways that are harder or impossible with other types of MFA.<\/p>\r\n<p>An early wave of attacks involved nation-state attackers launching <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/russian-targeting-gov-business\" target=\"_blank\" rel=\"noopener\">MFA fatigue attacks<\/a> on Office\/Microsoft 365 accounts as a staging post to target the whole Active Directory infrastructure. Other service providers have also noticed an uptake in the same technique, which suggests it is only a matter of time before it will become mainstream. On that topic, in September 2022, the car-sharing company Uber reported it had fallen victim to a cyber attack, a key component of which was the use of MFA fatigue to bypass security. There have been others.<\/p>\r\n<h2>Can It Be Stopped?<\/h2>\r\n<p>Microsoft has <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-entra-azure-ad-blog\/defend-your-users-from-mfa-fatigue-attacks\/ba-p\/2365677\" target=\"_blank\" rel=\"noopener\">published data<\/a> on the increasing number of attacks it has detected that use MFA fatigue. With good timing in 2021, the company modified its Authenticator app (which enables push technology) to implement a feature called <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-entra-azure-ad-blog\/new-microsoft-authenticator-security-features-are-now-available\/ba-p\/2464386\" target=\"_blank\" rel=\"noopener\">number matching<\/a> which requires the user to enter a two-digit code (which changes with each request) to approve any push notification. Both the approver and attacker must enter this number, but only the genuine user can see it. In addition, number matching can also be configured to show the IP address geo-location of the login request to the real user as well as the application being accessed, which might raise further suspicion.<\/p>\r\n<p>Number matching will become the default for Microsoft Authenticator from February 2023. It\u2019s a neat solution albeit at the expense of asking the users to enter another code, the very thing push notification was supposed to avoid.<\/p>\r\n<h2>What Else Can Be Done To Counter MFA Fatigue?<\/h2>\r\n<p>One answer is to abandon passwords altogether and adopt passwordless authentication. This means that there is no password to steal so attackers have nothing to compromise to launch a fatigue attack in the first place. This also addresses the issue of phishing attacks. The downside is that passwordless authentication requires time and investment, something not every organisation can afford.<\/p>\r\n<p>Right now, all users have heard of phishing but very few have heard of MFA fatigue attacks. Put simply, if users don\u2019t know about the technique, it\u2019s a certainty some of them will fall for it. The job for organisations should be to educate them by showing them how this bypass works using visuals. Don\u2019t rely on text explanation \u2013 a visual is likely to make more of an impression.<\/p>\r\n<h2>The Bottom Line<\/h2>\r\n<p>Hackers are now targeting push notification authentication, but in this, it is far from alone. Codes generated by authentication apps have also <a href=\"https:\/\/www.zdnet.com\/article\/hackers-are-finding-ways-around-multi-factor-authentication-heres-what-to-watch-for\/\" target=\"_blank\" rel=\"noopener\">been in the firing line<\/a>. This reminds us that MFA technologies are not immune from social engineering. However, in the case of MFA fatigue attacks the critical issue is that awareness is very low. That is an open invitation to trouble.<\/p>\r\n<p>&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"Implementing multifactor authentication (MFA) to protect user accounts has for some years been recommended as a cyber security best practice.","protected":false},"author":24,"featured_media":7411,"template":"","meta":{"_acf_changed":false,"_searchwp_excluded":"","footnotes":""},"standard-post-categories":[31],"standard-post-tags":[91],"class_list":["post-7917","standard-post-filter","type-standard-post-filter","status-publish","has-post-thumbnail","hentry","standard-post-categories-insights","standard-post-tags-iso-27001"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>MFA fatigue|How to respond to new MFA authentication attacks<\/title>\n<meta name=\"description\" content=\"Multi Factor Auththentication has long been the secondary backstop of cyber security.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MFA Fatigue: How To Respond to Authentication Threats\" \/>\n<meta property=\"og:description\" content=\"Multi Factor Auththentication has long been the secondary backstop of cyber security.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/\" \/>\n<meta property=\"og:site_name\" content=\"Amtivo UK\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-15T16:18:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/adult-business-man-work-at-office-with-mobile-phon-2022-02-28-23-31-09-utc-scaled-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1798\" \/>\n\t<meta property=\"og:image:height\" content=\"1200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/04\/testimonialImage-placeholder.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"MFA fatigue|How to respond to new MFA authentication attacks","description":"Multi Factor Auththentication has long been the secondary backstop of cyber security.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/","og_locale":"en_GB","og_type":"article","og_title":"MFA Fatigue: How To Respond to Authentication Threats","og_description":"Multi Factor Auththentication has long been the secondary backstop of cyber security.","og_url":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/","og_site_name":"Amtivo UK","article_modified_time":"2025-12-15T16:18:00+00:00","og_image":[{"width":1798,"height":1200,"url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/adult-business-man-work-at-office-with-mobile-phon-2022-02-28-23-31-09-utc-scaled-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_image":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/04\/testimonialImage-placeholder.jpg","twitter_misc":{"Estimated reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/","url":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/","name":"MFA fatigue|How to respond to new MFA authentication attacks","isPartOf":{"@id":"https:\/\/amtivo.com\/uk\/#website"},"primaryImageOfPage":{"@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/#primaryimage"},"image":{"@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/#primaryimage"},"thumbnailUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/adult-business-man-work-at-office-with-mobile-phon-2022-02-28-23-31-09-utc-scaled-1.jpg","datePublished":"2023-04-03T14:55:20+00:00","dateModified":"2025-12-15T16:18:00+00:00","description":"Multi Factor Auththentication has long been the secondary backstop of cyber security.","breadcrumb":{"@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/#primaryimage","url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/adult-business-man-work-at-office-with-mobile-phon-2022-02-28-23-31-09-utc-scaled-1.jpg","contentUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/adult-business-man-work-at-office-with-mobile-phon-2022-02-28-23-31-09-utc-scaled-1.jpg","width":1798,"height":1200,"caption":"Adult business man work at office with mobile phone and desktop"},{"@type":"BreadcrumbList","@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/the-rise-of-mfa-fatigue-attacks-how-to-respond-to-a-new-authentication-threat\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/amtivo.com\/uk\/"},{"@type":"ListItem","position":2,"name":"Standards","item":"https:\/\/amtivo.com\/uk\/standards\/"},{"@type":"ListItem","position":3,"name":"ISO 27001","item":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/"},{"@type":"ListItem","position":4,"name":"Insights","item":"https:\/\/amtivo.com\/uk\/standards\/insights\/"},{"@type":"ListItem","position":5,"name":"MFA Fatigue: How To Respond to Authentication Threats"}]},{"@type":"WebSite","@id":"https:\/\/amtivo.com\/uk\/#website","url":"https:\/\/amtivo.com\/uk\/","name":"Amtivo","description":"","publisher":{"@id":"https:\/\/amtivo.com\/uk\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/amtivo.com\/uk\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/amtivo.com\/uk\/#organization","name":"Amtivo","url":"https:\/\/amtivo.com\/uk\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/uk\/#\/schema\/logo\/image\/","url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/cropped-BAB-Amtivo-Joint-Logo-Updated-300ppi.png","contentUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/cropped-BAB-Amtivo-Joint-Logo-Updated-300ppi.png","width":371,"height":203,"caption":"Amtivo"},"image":{"@id":"https:\/\/amtivo.com\/uk\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter\/7917","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter"}],"about":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/types\/standard-post-filter"}],"author":[{"embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/users\/24"}],"version-history":[{"count":2,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter\/7917\/revisions"}],"predecessor-version":[{"id":7970,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter\/7917\/revisions\/7970"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/media\/7411"}],"wp:attachment":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/media?parent=7917"}],"wp:term":[{"taxonomy":"standard-post-categories","embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-categories?post=7917"},{"taxonomy":"standard-post-tags","embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-tags?post=7917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}