Multi-factor authentication (MFA) has become a cornerstone in securing access to sensitive systems and data, adding an extra layer of protection beyond passwords. However, the increased reliance on MFA has introduced a new problem—MFA fatigue. When users are overwhelmed by frequent authentication prompts, they become frustrated, less vigilant, and may even seek shortcuts to bypass the process.
This fatigue is not only an inconvenience but also a security risk. Bad actors have started exploiting MFA fatigue to launch sophisticated attacks.
A notable example of MFA fatigue being used in a cyberattack occurred in 2022 when Lapsus$ breached Uber and Cisco by overwhelming users with repeated MFA notifications until one was mistakenly approved. In Cisco’s case, the attackers gained access to sensitive data by sending a flood of push notifications, leveraging user fatigue to their advantage. After initial access, they escalated privileges and installed backdoor software, posing severe threats to the company’s infrastructure.
This highlights the importance of addressing MFA fatigue and ensuring users remain vigilant when handling authentication requests. Attackers can steal data, execute malicious commands, and even install ransomware, all by exploiting this human vulnerability. Businesses must educate employees, disable vulnerable push-based MFA methods, and implement stronger defenses like geolocation checks, device fingerprinting, and behavioral analytics to prevent such attacks. Here are six strategies to help your team avoid MFA fatigue while maintaining a strong defense.
1. Use Adaptive MFA
Not all logins are created equal, and your MFA system shouldn’t treat them that way. Adaptive MFA, or risk-based MFA, adjusts the security requirements based on factors like location, device, or behavior.
Intune, as an MDM solution, plays a critical role in this approach by managing device compliance and security policies. For example, if a user is logging in from a trusted device that meets all compliance requirements (e.g., up-to-date OS, encrypted storage), Intune can allow the user to bypass additional MFA steps. Conversely, if the login attempt is from an untrusted device or location, it triggers full MFA verification. This risk-based approach reduces unnecessary prompts for users while maintaining robust security for more sensitive situations, effectively balancing convenience and protection.
By reducing unnecessary prompts for low-risk logins, you reduce user frustration without sacrificing security.
2. Leverage Single Sign-On (SSO)
SSO allows users to log in once and gain access to multiple applications without the need to repeatedly authenticate. By combining SSO with MFA, you can consolidate authentication, so users only have to go through the MFA process once, significantly reducing the number of prompts they face throughout the day.
This approach streamlines the login experience while maintaining robust security controls.
3. Set Session Timeouts Appropriately
Short session timeouts can force users to repeatedly authenticate throughout the day, increasing fatigue. Instead, adjust session timeouts to reflect your business’s security needs and the type of work being done. For example, high-security environments might need shorter timeouts, while standard office workflows can allow longer sessions before MFA is required again.
Finding the right balance between security and convenience will reduce unnecessary authentication interruptions.
4. Implement Push Notifications
Push notifications are a user-friendly and secure way to authenticate. Instead of entering a one-time passcode, users can simply approve a login attempt with a single tap on their mobile device. This method simplifies the MFA process, reducing the time and effort needed to verify identity.
Push notifications also help prevent phishing attacks, as users are less likely to fall for fake login requests when they’re simply approving requests on a trusted device.
5. Educate Users on MFA Best Practices
One of the best ways to combat MFA fatigue is to educate employees on the importance of MFA and how it protects both them and the business. When users understand why MFA is necessary, they’re more likely to tolerate the occasional inconvenience and less likely to seek ways around the system.
Providing clear communication about MFA’s role in preventing breaches can increase compliance and reduce complaints.
6. Use Passwordless Authentication
Passwordless authentication methods, such as biometrics (fingerprints or facial recognition) or hardware security keys, are becoming increasingly popular. These methods eliminate the need for traditional passwords altogether, offering a more seamless and secure user experience.
By reducing reliance on passwords, you not only enhance security but also make the authentication process smoother for users, cutting down on the frequency of MFA prompts.
Conclusion
MFA fatigue is a growing concern, but it doesn’t have to be a barrier to strong security. By implementing adaptive MFA, using SSO, adjusting session timeouts, leveraging push notifications, educating users, and adopting passwordless authentication, you can significantly reduce the burden on employees while keeping your business safe. The key is to strike the right balance—ensuring that security remains robust without making it feel like a constant obstacle to productivity.