What is MFA Fatigue?
If you haven’t heard about CISCO cyber breach, it has also become a reality. With the other security incidents such as the recent Solarwinds cyberattack, cybercriminals have established again that not even best tech companies are immune from their sophisticated attacks. "MFA Fatigue" is the hot topic in cyber security space now after this attack method has turned out to be root cause of this "in famous" CISCO breach. Let’s examine more about MFA Fatigue now.
We all have heard about two factor authentication and it is getting popular day by day. 2FA is supposed to provide additional layer of security for your accounts by requiring that you prove two things before being granted access to your accounts.


Something that you know – your login credentials - username, password/PIN/Passphrase

Something that you have – Sharing One Time Security Code to your mobile device, hardware token, SMS, Call. Also, these days with mobile apps 2FA comes as pop up notifications.


MFA Fatigue refers to user via MFA Applications receiving multiple or rather overload of second factor notifications. The user is tricked (by overwhelming 2FA requests) and will start setting security best practices aside and become careless, putting their company and their accounts in danger of compromise.Usually it starts with basics, attacker get the targeted user’s valid credentials via brute forcing, password spraying or reusing tricks. Then they will perform the 2FA notification requestspamming repeatedly until the user approves the login attempt and lets the attacker gain access to the account. This usually happens because the user is distracted or overwhelmed by the notifications and, in some cases, it can be misinterpreted as a bug or confused with other legitimate authentication requests.
In this latest episode, the CISCO employee received multiple calls (vishing) over several days in which the threat actor claimed to be from a support organization trusted by the employee. Following this, the threat actor enrolled a series of new devices for MFA and authenticated access to CISCO VPN.

Like information security Practitioners often say – "Human is the weakest link in information security", in this attack also it is not the technical ability of attacker which succeeds, but the right exploitation of human factor of MFA usage. Many users who fell for this attack, had just wanted these 2FA mobile application notifications to disappear.
There are multiple advisories from tech gurus on how to detect & prevent these MFA Fatigue attacks such as configuring Service limits for MFA Services, customizing the alert rules from log in inspection queries etc. I would rather suggest to disable Push Notification features of such MFA applications will drastically reduce the likelihood of such attacks. An legitimate user who is trying to login to a account should be aware that he has to open the MFA application to further approve the transaction. Ofcourse it has an impact of user experience, but it is a question of security vs usability and the DATA or BusinessImpact should decide whether former or later should be deciding factor while designing MFA.
Thanks for reading it this far! Wish you a secure digital experience ahead!

This article is written by Sachin Babu
Head of Cybersecurity GRC – Oil & Gas Sector Company