Technical Update vol. 30 no. 1 - Cybersecurity Insights: MFA Fatigue Attacks

Multi-factor authentication (MFA) has become a cornerstone of cybersecurity for counties, dramatically reducing the risk of unauthorized access. However, as defenses evolve, so do attack methods. One growing threat targeting organizations with MFA in place is the MFA fatigue attack, also known as push bombing.

MFA fatigue attacks exploit human behavior rather than technical weaknesses. Instead of trying to bypass MFA entirely, attackers overwhelm users with repeated authentication requests until the user mistakenly approves one, often to stop the notifications.

HOW MFA FATIGUE ATTACKS WORK

Attackers typically begin by obtaining a user’s credentials through phishing, prior data breaches, or social engineering. Once they have the username and password, they repeatedly attempt to log in, triggering a flood of MFA push notifications, text messages, or phone prompts sent to the user’s device.

These prompts may arrive late at night, early in the morning, or continuously throughout the day. Eventually, a distracted or frustrated user may approve the request without realizing it is malicious. At that moment, the attacker gains legitimate access using the user’s own credentials and approved MFA request. This tactic has been used successfully against both private companies and public entities, including government agencies, because it relies on urgency, annoyance, and user error rather than technical flaws.

WHY COUNTIES ARE VULNERABLE

County employees juggle multiple systems, urgent service demands, and frequent login requests, making MFA prompts feel routine. Attackers count on this familiarity to reduce vigilance. Shared responsibilities, after-hours access, and remote or hybrid work can also increase the chances that an unexpected MFA request is missed or misunderstood.

Employees and IT teams should remain alert for the following warning signs that an active MFA fatigue attempt is in progress:

• Repeated MFA prompts the user did not initiate
• Authentication requests at unusual hours
• Complaints from staff about “constant” login notifications
• Account activity immediately following an approved MFA request

BEST PRACTICES TO REDUCE RISK

While MFA fatigue attacks are concerning, there are steps counties can take to reduce risk:

1. Train Employees: Ensure staff know never to approve an MFA request they didn’t initiate and to report anything suspicious immediately.

2. Use Number Matching or Verification Codes: Adopt MFA options that require entering a code or matching a number, making unauthorized approvals far more difficult.

3. Reduce Repeated Prompts: Configure systems to limit failed MFA attempts or trigger alerts after multiple prompts to prevent attacker “bombing.”

4. Strengthen Reporting Channels: Make it easy for employees to report suspicious MFA activity so IT can respond quickly and secure accounts.

5. Enforce Least-Privilege Access: Limit each account’s permissions to only what’s necessary, reducing potential harm if a credential is compromised.

WHAT THIS MEANS FOR COUNTIES

MFA remains one of the most effective security controls available, but it is not “set it and forget it.” Counties must pair technical safeguards with ongoing employee awareness and clear response procedures. By understanding MFA fatigue attacks and adjusting configurations, training, and policies accordingly, counties can stay ahead of this evolving threat. For more information, contact CTSI at (303) 861-0507.