Multi-factor authentication fatigue attack explained

A multi-factor authentication fatigue attack (also MFA fatigue attack or MFA bombing) is a computer security attack against multi-factor authentication that makes use of social engineering.^{[1] [2] [3]} When MFA applications are configured to send push notifications to end users, an attacker can send a flood of login attempts in the hope that a user will click on accept at least once.

In September 2022 Uber security was breached by a member of Lapsus$ using a multi-factor fatigue attack.^{[4] [5]}

In 2022, Microsoft has deployed a mitigation against MFA fatigue attacks with their authenticator app.^[6]

In early 2024, a small percentage of Apple consumers experienced a MFA fatigue attack that was caused by a hacker that bypassed the rate limit and Captcha on Apple’s “Forgot Password” page.

Further reading

• Web site: Haworth . Jessica . 2022-02-16 . MFA fatigue attacks: Users tricked into allowing device access due to overload of push notifications . 2023-01-26 . The Daily Swig . PortSwigger . en.

Notes and References

1. Web site: MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches . 2023-01-26 . . en-us.
2. Web site: Burt . Jeff . Multi-factor authentication fatigue can blow open security . 2023-01-26 . www.theregister.com . en.
3. Web site: Constantin . Lucian . 2022-09-22 . Multi-factor authentication fatigue attacks are on the rise: How to defend against them . 2023-01-26 . CSO Online . en.
4. News: How do you stop another Uber hack? . Whittaker . Zack . 2022-09-19 . 2023-08-24 . TechCrunch.
5. News: Uber explains how it was pwned this month, points finger at Lapsus$ gang . Hardcastle . Jessica Lyons . 2022-09-19 . 2023-08-24 . The Register.
6. Web site: Tung . Liam . Microsoft Authenticator gains feature to thwart spam attacks on MFA . 2023-01-26 . . en.