Leveraging fatigue as a means of persuasion is a potent technique. Even young children pick up on this, persistently requesting treats until a weary parent finally gives in, seeking a brief respite. But children aren’t the only ones employing this tactic. How often have we made a purchase simply to deter a persistent salesperson?

MFA Fatigue is Real

Fatigue doesn’t just work in these everyday scenarios. It is also a weapon used by hackers and cybercriminals. They recognize that a consistent way to bypass security measures is to simply exploit human enervation. Imagine the following scenario:

You’re attending your child’s sports game or enjoying a pleasant dinner party, and suddenly your phone is flooded with SMS multi-factor authentication (MFA) prompts. After dismissing them for a while, you start to believe that there might be a glitch in the MFA system. To stop the incessant notifications, you approve one of the MFA prompts. Perhaps you even received an email from a supposed help desk representative assuring you that these MFA alerts are genuine. Relieved, you follow through. The next morning you discover the regrettable truth that your account has been breached.

The Case for MFA

There was a period when passwords did their job. That window has since closed, however. There are millions of compromised credentials residing in the dark web that were initially stolen through data breaches. Thanks to bot armies and superfast computer processors, password cracking has become streamlined. MFA strengthens the authentication process by adding at least one additional security factor in addition to knowledge (a password). MFA requires that you either have possession of something such as a mobile device that allows you to receive confirmation text messages or emails as well as something you biometrically inherit such as a fingerprint.

While hackers may be able to obtain your password through phishing attempts, keyloggers, dictionary attacks and data file exfiltration, they would also have to attain access to your cell phone or at least be able to manipulate your MFA processes. Think of MFA as a miniature form of multilayer security policy in which multiple tools work collectively to protect you.

The History of MFA

MFA has taken some time to gain traction. Introduced in the early 2000s, many users found it inconvenient to be used regularly while businesses viewed it as costly and intricate. Industry leaders, such as Bill Gates in 2004, anticipated the inadequacy of single-password protection in an increasingly digital age. In 2016, President Barac Obama in a Wall Street Journal op-ed encouraged people to move beyond passwords by adding an extra layer of security like a fingerprint or codes sent to a cell phone.

The adoption of MFA has been progressive. Initially, organizations mandated its use for privileged users and IT personnel during off-site access. This later expanded to on-site usage. In the U.S., the Federal Financial Institutions Examination Council (FFIEC) in 2005 advised financial institutions to adopt MFA for high-risk transactions by the close of 2006. Today, many cyber insurance providers make MFA a prerequisite for policy coverage. Still, despite its ubiquity, breaches that MFA could have thwarted continue to make headlines.

MFA is not Foolproof

There was a time when users put all their trust into a password as the sole protector of their digital lives. Today many feel the same way about MFA. While it’s undeniable that MFA provides a more robust shield than a simple password it can also faster a false sense of security. Malicious threat actors have already devised methods that bypass MFA. According to the 2023 Verizon Data Breach Investigations Report, 74% of breaches involved the human element and MFA involves human engagement and requires human vigilance to be effective. For instance, some MFA solutions allow brief disablement intervals to help users avoid the repetition (and fatigue) of constantly completing the MFA process.

It is important to keep in mind that once an attacker has your password, they are already halfway to the finish line. In the case of a prior breach, your credentials were only one aspect of your user profile that was stolen. Hackers can use this additional information to aid them further. MFA has an attack surface just like any component in your IT estate and that surface is vulnerable to attack. Like all weak links, organizations need to utilize a layered defense to protect from phishing-resistant MFA and manipulative attack methods.

Ways to Curtail MFA Fatigue

To alleviate MFA fatigue, organizations can adopt several proactive strategies. One approach is for security administrators to cap the frequency of MFA prompts within a specified period; after all, a genuine user won’t endlessly attempt to log in. You should also train users to be suspicious of unprompted MFA notifications. Because some MFA methods are more effective than others, your IT and security team should consider upgrading from simple push notification requests.

Ultimately, reinforcing MFA systems requires a multi-layered security approach, overseen from a unified platform. Here, a dedicated team can holistically detect early signs of an intrusion. For many small to medium-sized businesses that might not have extensive in-house security capabilities, outsourcing cybersecurity to a security operations center (SOC) provider has become essential because often times, hacker organizations have more resources and expertise than the businesses they are targeting.

Strategic Monitoring

Strategic monitoring can detect signs of compromise in real-time, allowing security teams to take proactive measures to limit the blast radius of an attack and negatively impact your business.  It is also a means to ensure your organization remains compliant with all mandated regulations. Strategic monitoring collects, aggregates and analyzes data to find the correlations between countless events that on the surface may appear unrelated. Such signs include an abnormal number of failed logins for one or more user accounts or the misuse of a privileged account. The internal implementation of a strategic monitoring system can be highly challenging, especially for SMBs which is one more reason why third party SOCs are becoming so popular today.

Conclusion

Security controls are vulnerable because they ultimately depend on human intervention and judgment. This human factor often becomes the Achilles’ heel, making constant monitoring essential to stay ahead of potential threats. Fortunately, advanced Endpoint Detection and Response (EDR) and 24/7 strategic monitoring solutions are attainable for nearly every size organization today, helping identify, correlate, and remediate threats before they can impact your operations.