back arrowBack to Identipedia

What Is MFA Fatigue & How to Prevent It

MFA fatigue LC thumbnail


Multi-factor authentication (MFA) is a widely-used method to enhance security during login processes. However, MFA fatigue has emerged as a significant concern, enabling attackers to exploit user behavior. MFA fatigue attacks are becoming increasingly common, with a wave in 2022 impacting several well-known companies and their user bases, including Uber. 

This article will explore what MFA fatigue is, the implications it has for your organization and users, and how to prevent MFA fatigue attacks.

What is MFA fatigue?

MFA fatigue refers to both a specific type of attack (like MFA bypass) and the underlying condition that allows such attacks to occur. At its core, MFA fatigue is a state of weariness or frustration experienced by users when encountering multi-factor authentication processes. While MFA is intended to bolster security by requiring an additional verification step, the repeated demands for authentication can become burdensome for users over time.

Picture a scenario where a user logs in to an app or website that employs MFA, perhaps for the first time in a while. They input their user credentials and are then prompted for some other factor to verify their identity, like a code sent to their email or phone. However, users may lack familiarity (or may perhaps be too familiar) with the appearance or source of the verification message, leading to a sense of indifference. This lack of attentiveness to the verification process creates an environment ripe for MFA fatigue attacks.

In practice, other factors may also contribute to users’ experience of fatigue or frustration with MFA and login processes more broadly. For example, users often have to create and memorize credentials for many online accounts, typically with different lengths, strengths, and complexity standards. Whereas one program or website requires seven characters and at least one number, another might require nine characters, with no numbers allowed.

Over time, these frustrations add up. They create an environment where even well-intentioned users might fall victim to an MFA fatigue attack because they feel overburdened with authentication processes.

Implications of MFA fatigue

The most significant implication of MFA fatigue is that it makes organizations vulnerable to MFA fatigue attacks, where hackers exploit user weaknesses to break authentication.

Attackers leverage user fatigue to exploit weaknesses in the authentication process, ultimately undermining the effectiveness of MFA. Developers and adopters of MFA systems must recognize the critical role they play in addressing MFA fatigue and implement robust security measures to prevent attacks and data loss.

How an MFA fatigue attack unfolds

Unlike some other cyberattacks, exploiting MFA fatigue requires extensive prior knowledge and context for cybercriminals. They need to know that an organization uses MFA, what its protocols look like, and, most critically, what credentials their targets use to log in.

MFA fatigue attacks vary depending on their targets. But they usually follow a pattern like this:

  • First, threat actors must have the user’s primary login credentials (username and password), which they might seize through another cyberattack vector, like brute force or phishing.

  • Then, attackers send the user messages that mirror the portal’s typical MFA prompts, attempting to coax a login attempt by having them click on a provided link.

  • Once the victim gives in and provides the desired input, attackers gain access to their accounts and can illegitimately use, delete, or otherwise compromise sensitive data.

Attackers often send numerous messages with insidious details designed to assuage users’ concerns. For example, they might include hedging language about the auth systems being in flux, which justifies sending multiple messages. This might be paired with automation, making it easier for cybercriminals to bombard users’ inboxes and wait for them to give in.

How to prevent MFA fatigue attacks

To effectively combat MFA fatigue attacks and safeguard sensitive data, organizations can employ various preventive measures. Implementing these strategies helps alleviate the burden on users while maintaining a robust security posture. Here are a few methods to consider:

  • Educating users. Promoting awareness and educating users about MFA best practices is crucial. Organizations can provide guidance on recognizing phishing attempts, verifying the legitimacy of MFA prompts, and maintaining strong password hygiene. By empowering users with knowledge, they become more vigilant and better equipped to protect themselves against MFA fatigue attacks.

  • Exploring strong MFA options. Embracing strong authentication methods, such as fingerprint biometrics or passwordless authentication, can alleviate MFA fatigue. Biometric authentication leverages unique physical characteristics, while passwordless authentication eliminates the need for remembering and managing complex passwords, reducing user frustration and fatigue.

  • Simplifying MFA processes. Supporting a variety of secure authentication factors, such as email codes, SMS verification, or hardware tokens, offers users flexibility and choice. By streamlining the MFA process and allowing users to select their preferred method, organizations can reduce fatigue and make authentication more user-friendly.

  • Risk-based authentication. Adopting risk-based authentication enables organizations to dynamically adjust the level of security required based on the perceived risk of each login attempt. By analyzing factors like user behavior, device information, and location, organizations can strike a balance between security and user experience, minimizing unnecessary authentication steps for low-risk scenarios.

  • Avoiding vulnerable methods. Organizations should steer clear of authentication methods susceptible to exploitation, like push notifications. These can be vulnerable to social engineering attacks or interception by attackers. Instead, prioritize more secure and robust authentication approaches to prevent MFA fatigue attacks.

Secure and easy MFA with Descope

If you’re looking for a way to streamline the login process for your end users while cutting down on their sense of MFA fatigue, look no further than Descope. Our drag-and-drop authentication platform empowers developers to add MFA to their apps and websites with only a few lines of code.

Sign up for Descope’s Free Forever tier today to add secure, flexible, and delightful auth to your apps.