MFA Fatigue Attacks: How Can You Protect Your Business?

MFA Fatigue Attacks: A Business Protection Guide

MFA fatigue attacks are a huge concern for any business, particularly those operating fully within the digital sphere.

This article will aim to outline what MFA fatigue attacks are and how they can be prevented. Real-life case study examples will be cited to understand these attacks fully.

In addition, emerging and cutting-edge trends will also be discussed, and how you can prepare your business to identify and deal with any potential threats.

What Are MFA Attacks?

MFA fatigue attacks – multi-factor authentication fatigue attacks – are a type of social engineering cyber-attack strategy.

It is sometimes referred to as either MFA bombing or MFA spamming.

How Does an MFA Fatigue Attack Work?

Cyber attackers or hackers will aim to access the victim’s data by repeatedly pushing 2FA (two-factor authentication) requests to their devices.

This is typically via the second of the two (or last of the multi) factor type of authentication. This is because numerous codes or passwords are repeatedly sent to the victim’s device – whether that is a mobile device, laptop, or any other registered device.

These notifications are usually received by SMS (text message) or via the victim’s email address.

The eventual goal of the hacker is for the victim to verify their identity via one of these notifications, and once they have done so, the hacker can access the victim’s device.

How Do Hackers Gain Access To the Device?

To undertake an MFA fatigue attack, hackers must first attempt to log in to the user’s device by pretending to be the user.

This means they generally have the user’s username and password, either gained from a data leak or by a phishing attack.

The Impact of MFA Attacks on Businesses

There are numerous – and often adverse – effects of an MFA fatigue attack on a business. These impacts will be discussed in greater detail below.

Damage to Your Reputation

Any reputable business is built on the model of trust from its customers. Unfortunately, should an MFA attack occur at your business and impact sensitive customer data, your business can be seriously damaged.

Not only will you lose customers through word-of-mouth, but you will also struggle to gain new customers – particularly if they know that previous customers’ data has been leaked due to a breach in your security.

Ensuring you have some secure authentication methods is paramount for keeping your reputation as a good business.

Moreover, taking the time to train staff on how to identify potential phishing emails can help to prevent MFA fatigue attacks before they happen.

Legal Data Breaches

Another risk you’re looking at with an MFA attack is breaking legal data rules and regulations.

You are not only at risk of exposing sensitive data but also of breaking the law.

This is because many companies legally have to adhere to numerous privacy, data protection and further regulations such as the Digital Operational Resilience Act (DORA), General Data Protection Regulation (GDPR) and the European Union Cybersecurity Act.

Breaking any of these – due to an MFA attack – could result in a breach of these regulations and legal consequences such as incurring heavy financial penalties like fines or being summoned to court.

Disruption at Work

MFA attacks can also affect businesses from an operational point of view.

For instance, an MFA attack can stop all current projects or at least throw a spanner in the works in the sense of mass confusion and possibly even shut down operations altogether.

This can go on for as long as the problem takes to be resolved, meaning that it could mean complete downtime for your business, resulting in financial loss, employee and employer stress, important deadlines being missed and losing out on deals or connections.

Even after an MFA attack, important deadlines can be missed, and employees may be more reserved about trying out new technologies or receiving emails from an unrecognised address.

Fear of New Technology

An MFA attack might take seconds, but the consequences for your business can last much longer.

As mentioned in the section above, employees may have reservations about different technologies, particularly those who are older or less tech-savvy than their younger or simply computer-oriented counterparts.

In turn, this can lead to a lack of innovation on your behalf – employees may show more signs of hesitance when adapting to new technological advances in the workplace.

This can hamper the growth of your business, as well as how your business can adapt to the modern world of work. You could even end up falling behind your competitors as a result.

Loss of Customers

One of a business’s biggest fears is losing customers, particularly those who have been loyal customers for many years.

A commonly heard phrase in business is, “It’s easier to retain existing customers than it is to attract new customers.” And there is a strong element of truth to this phrase.

However, if you suffer from an MFA attack at your business and sensitive or private customer data is leaked, you can lose customers instantly – regardless of whether they have been customers for a week or a decade.

As a result, customers may no longer feel safe with their data in your hands. They could turn elsewhere for their services – including to a direct competitor offering the same services but with better security methods.

Not only does this give your rival companies an advantage over you, but it means that you lose out on business and could face the backlash publicly – which could be in the form of a negative review online or even being taken to the press by a disgruntled customer – damaging your reputation locally as well as losing customers.

Financial Losses

Perhaps the most significant loss relating to an MFA fatigue attack is the financial implication that it leaves your business with.

Most of the points above have also explained how your business can suffer, but the biggest consequence will likely be financial from the above effects.

For example, if you suffer from an attack leading to an operational disruption, you are very likely to lose money.

In addition, if you need to call in cybersecurity specialists who are experts in preventing MFA fatigue and can help protect your business from cyber attacks, this will likely cost a significant amount of money.

On top of that, paying out contracts or ending contracts early for customers who have left will also affect your business from a financial standpoint, as well as the money it costs to attract new customers, such as through paid advertising strategies.

Impacts in the Long-Term

We have already discussed the immediate impacts following an MFA attack and the impacts that it can have on your employees’ willingness to try out new technologies.

However, losing customers and losing the trust of others is not just an immediate impact that will go away after a day or two.

On the contrary, it requires a huge effort to rebuild trust in
any business or brand once its reputation has been damaged.

The efforts that go into this are generally worth it. Still, it can cost you even more financially – particularly for small businesses – with important work often being put on the back burner to make room for building trust in the brand again.

In addition, implementing stronger security methods can also cost time and money and cause concern for a long time.

Real-Life MFA Fatigue Attack Examples

Having all this knowledge is important when it comes to MFA attacks – but perhaps it is even more important to see that it has happened to real-life businesses before.

The Uber Attack

It was not just any old business – it was tech, transport, and food giant Uber that suffered.

The attack occurred in September 2022 and was coordinated by renowned hacking group Lapsus$ (Dev-0537).

The group had performed an MFA fatigue attack and gained access to a “super user” administrative account for IDaaS (Identity as a Service) provider Okta, a third-party support engineer.

After three days, seven alleged members of Lapsus$ were arrested – and all were aged between 16 to 21 years of age.

The University of Queensland Attack

Another example of an MFA fatigue attack was across the globe at the University of Queensland, Australia.

A member of staff at the learning institution had been the victim of an MFA bombing attack and received notifications within their staff account.

The staff member in question had no prior experience or knowledge of MFA fatigue attacks and thought nothing of it – they entered the required code, and the hackers duly gained access.

Unfortunately, this was just the beginning of a series of long-lasting consequences.

The hackers accessed the members of staff’s email accounts. They sent numerous deceitful emails to students, fellow staff members and others associated with the University of Queensland from this one member of staff’s email address.

The link the hackers placed in the emails was to a fabricated Microsoft sign-in page on which there was a form that stole all of the credentials that were input into it.

The Consequences of MFA Fatigue Attacks

It is not just sensitive information and losing customers, which is the sad reality of an MFA attack.

It is also important to remember that numerous innocent people are also affected, such as those students and other staff members at the University of Queensland who had their data stolen, all from a form which seemed to have come from a trusted staff member.

All of their data was compromised, and it is worth reading into examples such as the ones listed above – it’s never a wise idea to think “it would never happen to me”, because it could, quite easily.

The next section of the article will discuss ways to prevent MFA attacks.

Preventing MFA Attacks

There are various strategies to turn off any potential cyber threats and prevent MFA fatigue attacks. These will be discussed in further detail below.


Consulting with cybersecurity experts and training your employees on dealing with MFA attacks is a great use of time and resources.

While it can be initially expensive to do so, the results are completely worth it in the long run. If they can identify any potential attacks before they happen, they could save you and your business thousands of pounds and protect any sensitive data.

Strengthen Password Management Protocols

Passwords are a hacker’s easiest way of granting access to data, information, and more.

Many passwords require users to remember five characters or more – it’s easy to see why elements like authenticated systems like two-factor authentication (2FA) and multi-factor authentication security (MFA) are also encouraged.

However, because passwords are often repeated or stolen, implementing further levels of security beyond MFA should be actively encouraged. An example of this is facial recognition.

For example, looking at passwordless authentication systems that eliminate password-only logins and replace them with a biometrics authenticator is a good place to start.

Least Privilege

Another good way to implement a business protection from cyber attacks strategy is through what is known as least privilege.

This is sometimes called minimal privilege or the principle of least authority, and it is a security concept in which a user is given the minimum levels of access or permissions to perform their job.

The idea behind implementing this to prevent MFA attacks is that it effectively restricts a hacker’s movements from the moment they gain access, meaning they will either leave empty-handed or unable to access the most protected and sensitive data.

Changing MFA Parameters: Some Suggestions

While several different MFA parameters are likely already in place, tightening these existing ones up can help your business significantly.

For instance, reducing the time frame between multi-factor authentication (MFA) windows means there is less opportunity for hackers to access your accounts. While they will inevitably attempt to use brute force to access your accounts, they will struggle if the time frame is reduced from 10 minutes to 30 seconds, for instance.

Another good tip is to add geographic location requirements. This means that the user has to be in a certain geographic location (such as your work office, for example, or at least in the local vicinity). This also prevents hackers from outside of the country from accessing the data.

Flagging excessive numbers of unsuccessful access attempts is another way to prevent MFA fatigue attacks. These can be flagged and rerouted to a security specialist, who can analyse the data and report it to more senior authorities if needed.

Concerning flagging unsuccessful attempts, limiting the number of attempts during a time frame is another method worth employing. For example, after three unsuccessful attempts, the user must wait half an hour before attempting to log in again. This can put off hackers who want instant results immediately.

Finally, increasing the factors required to access a user’s account is always a good idea. For example, requiring their phone number and facial recognition, or thumbprint recognition, is often a good move – as these steps render it almost impossible for a hacker to bypass successfully.

Final Thoughts

In conclusion, MFA fatigue attacks are always going to be dangerous, so there are several steps that you can take so that you understand them more.

Identifying the signs of an MFA fatigue attack – numerous sign-in attempts into one of your accounts, for instance – is a good place to start.

From a business owner’s perspective, taking some time to train your employees to identify these signs and know how to deal with them can pay dividends in the long run. Furthermore, once you know the signs, the next step is knowing what to put in place to stop a full-blown MFA fatigue attack.

The examples discussed above, such as increasing the number of factors required during the MFA process, strengthening password management protocols, and implementing least privilege, can also help yo
u to prevent these attacks from going any further.

We hope this article has helped you understand MFA fatigue attacks more thoroughly and that you can put this learning to good use where possible to prevent them from happening in the first place.

Get in touch for more information on how we can help you.