Multi-factor authentication (MFA) is an authentication method that requires users to provide two or more verification factors to gain access to resources such as email, VPN and online banking – for example, one-time passwords or push notifications sent to a mobile app. MFA has been a cornerstone of cyber security best practice lists for many years. It has become one of the most effective ways that organisations can protect their online accounts, particularly with the advent of cloud computing.

The global MFA and cloud computing markets are projected to grow by nearly 15.6% and 17.9% by 2027 and 2028 respectively.1,2 Password manager LastPass reported that 95% of organisations in 2021 used software-based authenticators for MFA rather than physical tokens or biometrics.

But while MFA is key to protecting cloud systems, it is also highlighting the risks of relying solely on app-based solutions. As threat actors improve their capabilities, the exponential growth of MFA has become a significant contributing factor to the increasing number of cyber attacks and data breaches targeting organisations.

Case study

Last month, a multinational suffered a breach affecting its data and systems. Shortly afterwards, the company assessed that the perpetrator likely belongs to the cybercriminal group known as Lapsus$, and the City of London Police arrested a 17-year-old in connection with the attack.

The company said it “had no evidence” customers’ sensitive data was compromised, but the attacker still managed to access multiple third-party software systems it used, including Slack, Amazon Web Services and Google Cloud Platform. It remains possible that some sensitive information was accessed, such as customers’ and employees’ personally identifiable information (PII) or the company’s intellectual property (IP).

The attack was likely the result of an effective and persistent social engineering campaign in which the threat actor gained access to the company’s systems through repeated MFA phishing attempts. The threat actor reportedly targeted an employee with MFA requests for over an hour, before “MFA fatigue” and a fake WhatsApp message masquerading as the company’s IT department led the employee to authenticate the threat actor’s login attempt.

What is MFA fatigue?

As a tactic, MFA fatigue involves spamming victims with authentication prompts until they grant the attacker access accidentally or out of frustration – perceiving it as a legitimate login attempt or a bug. It is a type of brute force approach to bypassing MFA that takes advantage of how approving MFA requests has become so routine that employees assume the prompts in their authenticator apps are always valid.

MFA fatigue has also been used to target multinational tech companies this year, and it has been adopted as a tactic by sophisticated nation-state groups and cybercriminals alike. In a campaign targeting public and private sector organisations this year, the group issued multiple MFA requests until the victim accepted the authentication and provided the attackers access to the account.

As a workaround for MFA fatigue, it is likely that organisations will increasingly disable push notifications of “approve sign-in” requests and seek to ensure that number matching and location-based verification is used to gain access to accounts instead.

Improving MFA

Phishing-resistant authenticators and risk-based authentication – which requires a stronger authenticator to access particularly sensitive applications – will increasingly become MFA best practices. The former relies on public key cryptography to help move away from passcodes. More broadly, passwordless solutions using fingerprint, voice and face biometric data will become more common.

Artificial intelligence (AI)- and machine learning (ML)-enabled MFA solutions will help verify the identity of a user by analysing patterns in their behaviour to prevent malicious activity. This includes, for example, checking to see if the user is typing or interacting with their mouse the way they normally do.

Until then, training and educating employees will eliminate some of the complacency that social engineering relies on. However, adopting effective prevention strategies should begin with accepting that MFA alone is no longer enough to secure organisations’ data and deter threat actors. Monitoring tactical developments in the cyber threat landscape, such as the evolution of threat actors’ toolkits, can enable proactive responses to new methods being used to bypass MFA and gain access to networks and systems.