MFA Fatigue: How to protect your users

MFA Fatigue: How to protect your users

Maturing your access controls for today's attack vectors


3 min read

What is MFA Fatigue

MFA Fatigue is the overloading of prompts or notifications to a victim's MFA application. The technique only works if the threat actor already has the target's account credentials, usually obtained through a phishing attack, password database or purchased on the Dark Web.

Multifactor Authentication Fatigue Demo Video

Video Credit: GoSecure

Recommendations to lower the risk of unauthorized access

There is no one logical control we can implement to mitigate unwanted access to our resources. This is why an in-depth defence design is best. We should never rely on a criterion to determine access to a thing.

Below I have highlighted some high-level action items we want to consider to help ensure only the right users have access to the data or resources intended. It is easy to overlook the basics. So I want to encourage adding fresh eyes to your logical controls or processes you may currently have implemented and strongly consider exploring our recommendations.

Understand who has access?


  • Inventory your accounts, and ensure you clearly understand all accounts with access to your organization.
  • Enrich all accounts with attribute data that can be used to help make fundamental contextualized access decisions.
  • Identify all entry points to ensure processes that manage these accounts' lifecycles align with all account lifecycle processes.

FIDO is Key ( pun intended )


The FIDO authentication protocol is the best way to mitigate phishing attacks. Moving to FIDO authenticators will improve security and, with the authenticator hardware that makes sense for your organization, can significantly improve user experience.

  • Make FIDO the default multifactor authentication protocol used for accessing resources
  • Revisit FIDO authenticators built into devices and the use of Yubikeys

Do we own the device?


The ways we work have shifted, with over 50% of users in the US and Canada working remotely, and it is not unreasonable to only allow access to resources from devices you manage.

  • By default, only managed devices should be able to access company resources
  • Link every device to a user and ensure your device lifecycle process aligns with changes that can occur.

Application Access Policies

Blog Banners (1).png

Application and Global access policies can now join the party, and by implementing or maturing the recommendations, we have the perfect starting point for contextualized-based access.

User accounts can now be provided access based on what we know about them and the device they are using, and at the application access layer, we can also enforce which MFA protocol we allow.

TLDR, we can now define that application(s) X, Y, and Z can only be accessed by Employee using a managed Device with MFA verification using the FIDO protocol.

Final Take

We cannot ignore that the current attacks have a social engineering component, which can be handled best by your Security Awareness program.

And no, spamming your users with phishing attacks or having a blurb in an annual wall of text is not as effective as notifying users of the tactics being used by malicious actors. Additionally, users should clearly understand the processes the IT/Security department conducts for its Identity processes and the default communication medium used by the support team.

Although I have greatly simplified the steps an organization needs to take, I will dive into these and other solutions in greater detail in future articles.

Thank you for taking part in my first post. I hope you return when we dive into the technical goodies of implementing controls and processes to help mature your Identity Access Management program.