How Cybercriminals Get Past Multi-Factor Authentication

Maintaining strong and complex passwords may sound easy in theory, but most users opt for easy-to-remember passwords instead.
Discover more

How Cybercriminals Are Getting Past Multi-Factor Authentication

Key points in this article:

  • MFA is a standard part of cybersecurity today
  • Cybercriminals have started spamming users with verification requests, a tactic is known as “MFA Fatigue”
  • Make sure your users understand how this tactic works and how to address it

Multi-Factor Authentication

Have You Heard Of MFA Fatigue?

Maintaining strong and complex passwords may sound easy in theory, but most users opt for easy-to-remember passwords instead.

Multi-factor authentication (MFA) is a great way to overcome the users’ resistance to maintaining strong passwords while still ensuring adequate cybersecurity standards.

Unfortunately, cybercriminals have recently started launching a new tactic to circumvent the protection afforded by this security feature—this strategy is known as “MFA fatigue”.

What is MFA Fatigue?

This cybercrime attack vector works against organizations whose MFA solution is configured to send push verification requests for approval. When someone attempts to log into an account, a request for approval is sent to the associated smartphone.

This tactic is fairly simple: cybercriminals simply send a high number of MFA verification requests to the target user’s device. Eventually, the target gets frustrated with these push notifications and approves them to make them stop.

This process could take hours or days; eventually, the target will break down and approve the request.

How Can You Defend Against MFA Fatigue?

The nature of this attack vector is frustrating, to say the least. It takes advantage of the core function of an MFA solution and preys on the inherent human nature in the user.

While you can’t simply turn off MFA and expect to stay secure, there are specific configurations that can help mitigate the effectiveness of MFA fatigue:

Switch To OTP

Instead of approve/deny requests, you can change your MFA solution to provide one-time passwords. This means an alphanumeric code sent to the user’s device must be input at login in order to authorize the attempt.

While this won’t reduce the number of push notifications coming in during an MFA Fatigue campaign, it will prevent the user from approving the request out of frustration.

Request Limits

You can also configure the account to timeout after a certain number of MFA verification requests, ensuring that the cybercriminal can only send so many push notifications to the user’s device.

Don’t Let Cybercriminals Circumvent Your Best Defenses

Though most companies now employ much stronger cybersecurity than they did ten years ago, our society is still far from being impenetrable. Some industry experts believe we’ll never be able to fully stop all breaches from occurring.

The reasons for this vary, but the most logical line of thinking is that technology is evolving at a constant rate. With each new invention, we open another window that cybercriminals can climb through. Every new convenience we gain through technology is another potential vulnerability waiting to be exploited.

While applying a given cybersecurity solution here or there on an ad-hoc basis can help increase defensive capabilities, this piecemeal approach is generally insufficient. That’s why forward-looking companies are adopting a “zero trust” mindset.

The zero-trust approach to cybercrime assumes that every aspect is a potential vulnerability until it can be confirmed otherwise. That means instead of simply investing in a strong firewall and antivirus and assuming you’re protected, every part of your IT environment and every user trying to access it is assessed for its security.

It’s important for business owners to understand that every potential part of their network is a target. Given the overall connected nature of the systems, comprising one part can give the cybercriminals control over the entire environment.

I.T. Matters, Inc. Will Help Protect Your Data

If you’re unsure about how to implement an MFA solution, don’t try to handle it all on your own.


I.T. Matters, Inc. will help you evaluate your password practices and security measures as a whole to make sure you’re not taking on any unnecessary risks. We will guide you in implementing MFA for your entire staff, ensuring your data is properly protected.