Skip to main content

Taking advantage of your tiredness: MFA fatigue attack

Multi-factor authentication is one of the most effective ways at preventing unauthorised access to your account. However, that doesn’t mean accounts protected with MFA are completely secure. Hackers have found a way around this security, and it involves taking advantage of your tiredness. 

What is multi-factor authentication?

MFA, or multi-factor authentication, is a security feature that a range of accounts have in order to verify your identity. When you log into an account with an email address and a password, you’re prompted to provide another piece of information that is sent to a different device. This tends to be a code that is texted to your mobile phone, or a number that is available in an authenticator app. Sometimes, this can be a notification sent to your phone which you can approve or reject.

By requesting this additional piece of information, websites and apps can be sure that you’re the person attempting to log in. This is a great way of preventing malicious third parties or hackers from getting into your online accounts. Even if your email address and password is discovered through a hack (such as the M&S ransomware attack), or accidentally disclosed by the victim, perpetrators cannot access your accounts without the final piece of information. MFA adds another layer of protection. 

What is a MFA fatigue attack?

A MFA fatigue attack is where a perpetrator attempts to gain access to the victim’s account or application with details that they have gained through another hack, that have then been sold on the dark web. 

When this account has been protected with multi-factor authentication, the perpetrator sends request after request to log in, bombarding the victim’s phone with authentication requests. Eventually, either through exhaustion or error, the individual approves the request, and the perpetrator gains access to the account.

MFA fatigue attacks are incredibly easy to execute; it’s low cost to automate, which means instead of a hacker manually attempting the logins, the requests can be sent one after the other using a line or two of code. 

MFA fatigue attacks are particularly effective when the request is to approve or reject a login; the victim isn’t required to add in a number or code, and instead just hit approve. When the requests come through to an authenticator app, the victim's response can be instinctual and they can approve the request out of habit.

How to protect yourself against MFA fatigue attacks

Making sure multi-factor authentication is turned on for all of your accounts and apps is one of the best ways to improve your online security. However, there are more things that you can do to protect yourself against MFA fatigue attacks. 

Where possible, ensure that your MFA requires a code or number that you need to copy from your phone to the device that is logging in, instead of an approve/reject link. This means that it won’t be possible to accidentally approve a login request that hasn’t been sent by you.

Businesses can also consider setting limits on the amount of times a request to login can be sent before the account is locked. This way, employees are far less vulnerable to these kinds of attacks and are required to contact tech support, who can ensure the account is still secure.


The Transcendit Way

Transcendit understand that when you choose to work with us, whether we're taking care of your IT, app or web development, you're trusting us with part of your business. So whether we're looking after your computers, phone systems or servers we always do things 'the Transcendit way'.

The whole of our team adhere to the same values, beliefs and policies - the principles that were written when Transcendit first formed in 2000. Whether you come to us for cloud services or recovery backup you can be confident that you'll always receive the same excellent service.

The Transcendit way outlines how we do business; following the same straightforward principles with every client and customer, regardless of how big or small they may be.

That means we get to know you and your business. We offer you a friendly, professional and efficient service, and we'll always be honest with you.
We understand that not everybody speaks fluent IT, so we try to explain things in a way that is simple and clear. We always spend as much time as is necessary explaining things to you.
If you need to talk to us about something, no matter how insignificant, we are only ever a phone call away – and we’re never too busy to make you a cup of tea and have a sit down with you in person.
We understand how frustrating it can be when things are late. When we schedule an appointment with you, we are there when you’re expecting us. If something prevents us from getting there, we always call you in advance to let you know.
Sometimes things can go wrong, but we never lie to you or try to cover something up. If things go askew we tell you what’s happened and how we plan to prevent it affecting your business.
We want you to continuously benefit from working with us. We regularly discuss your business and make suggestions for improving systems and processes wherever we can – but we never try to push you into a purchase.
When we quote a fixed price, that's always the amount we charge – you won’t find any nasty surprises on a bill from us. If you are paying by time and materials, we inform you if our approximations could change.
We understand the importance of privacy for your business and your customers. We respect the confidentiality of your data, and we will never pass on your information to third parties.
We appreciate it when you take the time to give us feedback. A system called CustomerSure records our client's responses, so you can trust that our reviews are from real people.
Find out what they're saying here.
The usual 1st class service that I've come expect as the norm! Dave Wales, Chirmarn

Based on 12075 reviews our customers rate us 9.8/10. Reviews and ratings by Customersure. 09-October-2024

Transcendit are proud sponsors of CHUF, the Children's Heart Unit Fund.

Transcendit is a Microsoft Gold certified partner
VMWARE partner
Vipre partner
IPCortex partner
WithSecure partner
DELL partner
Barracuda partner
Veeam partner
N-Able partner