Multi-factor authentication fatigue attack

From HandWiki
Short description: Computer security attack

A multi-factor authentication fatigue attack (or MFA fatigue attack) is a computer security attack against multi-factor authentication that makes use of social engineering.[1][2][3] When MFA applications are configured to send push notifications to end users, an attacker can send a flood of login attempts in the hope that a user will click on accept at least once.[1]

In September 2022 Uber security was breached by a member of Lapsus$ using a multi-factor fatigue attack.[4][5]

In 2022, Microsoft has deployed a mitigation against MFA fatigue attacks with their authenticator app.[6]

References

  1. 1.0 1.1 "MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches" (in en-us). https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/. 
  2. Burt, Jeff. "Multi-factor authentication fatigue can blow open security" (in en). https://www.theregister.com/2022/11/03/mfa_fatigue_enterprise_threat/. 
  3. Constantin, Lucian (2022-09-22). "Multi-factor authentication fatigue attacks are on the rise: How to defend against them" (in en). https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html. 
  4. Whittaker, Zack (2022-09-19). "How do you stop another Uber hack?". TechCrunch. https://techcrunch.com/2022/09/19/how-to-fix-another-uber-breach/. 
  5. Hardcastle, Jessica Lyons (2022-09-19). "Uber explains how it was pwned this month, points finger at Lapsus$ gang". The Register. https://www.theregister.com/2022/09/19/uber_admits_breach/. 
  6. Tung, Liam. "Microsoft Authenticator gains feature to thwart spam attacks on MFA" (in en). https://www.zdnet.com/article/microsoft-authenticator-gains-feature-to-thwart-spam-attacks-on-mfa/. 

Further reading




Retrieved from "https://handwiki.org/wiki/index.php?title=Multi-factor_authentication_fatigue_attack&oldid=3377004"