How to Prevent MFA Fatigue Caused by Fraudsters

As MFA has become standard in most organizations, attackers have begun looking for creative ways to penetrate accounts and pass the MFA barrier. One of the methods that has become popular among attackers is MFA fatigue, or push fatigue. Organizations adopt push MFA for its security and the good user experience it offers. But relying on an untrained user to decide whether to approve/deny an authentication request appears risky under the new circumstances.

Attackers are aware of this weak link and take advantage of it by sending a user multiple push notifications. Some users may approve authentication on the first try, and others will deny it at first. But most users will approve the authentication after multiple requests just to stop the annoying application from sending notifications every few seconds.

There are several ways to prevent MFA fatigue. This article will review four of them and highlight the pros and cons of each.

FIDO2 Authentication

FIDO2 is considered the most secure way to authenticate. FIDO provides a great user experience while forcing proximity between the user and the accessing device. It also prevents man-in-the-middle and Modlishka attacks, something no other authentication method can do. Above all, FIDO2 enables a usernameless and passwordless experience.

Nonetheless, adoption of FIDO2 is slow, and there are several reasons for that. Implementing FIDO across an organization means you need to equip every user with a FIDO authenticator, which requires a computer with platform biometrics (a bound authenticator) like Windows Hello or Mac TouchID. The other option is to provide every user a security key (an unbound authenticator), which adds to the overhead of distributing, tracking, and managing another hardware device for every user. The cost of any of the above options is meaningful and can be a roadblock for many companies. Another roadblock is recovery. For bound authenticators, once a user changes computers, the authenticator they used is gone. For unbound authenticators, it is easy to forget the security key, and in such cases, users may find themselves locked out until a new security key is delivered. The good news is that passkeys will solve the bound biometric problem. Last but not least, while many think FIDO can resist any attack, the Ping Identity engineering team showed in their “Do Silver Bullets Exist?” session at Identiverse 2022 that even this method can be vulnerable.

Limiting the Number of Push Notifications

Limiting the number of push notifications in a short period of time can help reduce the chances for human error. The chances a user will approve an authentication request they didn’t initiate increase with the number of push notifications they receive.

Even a trained user may approve a push notification after it is sent 10 times, so limiting the number of push notifications to, for example, three can help. But this still leaves it to the user to decide how to respond to the first three push notifications, with many users approving the first push that comes in. This option may be your only available option in your current environment, and if it is, you should consider it a temporary solution.

Using Push Notifications with Number Selection

This method uses push notifications but forces proximity by presenting a two-digit number on the user’s device and asking the user to select it from a list of three numbers presented on the mobile app. If the user selects the right number, the authentication is approved.

This method is more secure than just sending a push to approve, since if it is a fraudster sending the push, the genuine user doesn’t see the authentication page with the number they need to select. For many users, getting a push notification with three numbers without seeing the number on the accessing device will look odd, and they will avoid pressing one of the numbers.

However, users may still experience MFA fatigue in this scenario and press one of the three numbers in order to stop the annoyance. This still leaves a 33.3% chance of letting the fraudster in.

Risk-based Authentication (RBA)

The intention of RBA is not just to force MFA only when needed but also to force the right MFA method based on different conditions. For example, is the user logging in from the same device they always use? Which application is the user accessing? What is the user’s location?

MFA fatigue can be created by fraudsters attempting to log in with user credentials, but MFA fatigue can also be caused by the organization itself. Users who are required to go through MFA over and over again during a day tend to think of MFA as an annoying task.

RBA adds intelligence to your policies by processing signals that standard MFA doesn’t. RBA learns the patterns of each user, the device in use, the location, the network, and more, and it provides a simple-to-digest risk score. An MFA policy uses this risk score to decide whether to approve/challenge/deny the authentication and to determine what type of MFA should be used in different scenarios.

With the right tools and configuration, a genuine user won’t get even the first push coming from a fraudster and won’t be able to approve that MFA.

While the main goal of this article is to help your enterprise prevent MFA fatigue by fraudsters, we recommend taking this opportunity to review the current authentication flow and MFA settings in your environment. This is a good time to improve the user experience by adding risk-based authentication and reducing the amount of MFA required in your organization while also ensuring users understand the importance of MFA for protecting your company assets.

Customers who use PingOne Risk and PingID together prevent MFA fatigue by bypassing MFA when the risk level is low or requiring mobile OTP or FIDO when the risk level is high. For example, in September 2022, one Ping customer went live with PingOne Risk, onboarding over 240 MFA-enabled applications. The customer eliminated over 25,000 MFA prompts–representing a 65% decrease–in just one day.