Nobody enjoys having to use Multi Factor Authentication (MFA).
It’s an annoying necessity, and it is not there to make any new friends or to ensure that you have an enjoyable time at work. Without this layer of security, credential thefts would lead to more data breaches and successful attacks, with all the problems that they bring.
What happens if you are away from work and suddenly your phone wants you to authenticate a login? It bleeps, you refuse permission, it bleeps again, so you refuse again, and on we go. At what point do you think, “It is just some automated system that needs access and it is not going to stop until I grant it”? At what point do you render MFA useless because it was annoying you?
The above scenario is a new method of attack that has been used successfully. The idea is that the attacker already has the username and password for the target from an earlier breach; the details were potentially purchased on the dark web or perhaps gained in some other way by the attacker. The only thing that is stopping the hacker gaining access for nefarious purposes is the MFA. If the attacker can trigger your MFA calls repeatedly then the target will often just get worn down and finally grant permission just to stop the irritating MFA requests.
This kind of attack is not something that many users are familiar with, hence it is still pretty successful. The most notable recent success was the September breach of Uber’s systems where a hacker claims to have had complete admin access, forcing Uber to shut down all online access in an attempt to contain the breach. The (supposedly) 18 year old hacker told the New York Times that the credentials were gained by using social engineering, and the MFA was overcome by bombarding the user with requests.
What can a potential target do to safeguard against this kind of attack? There are many things that can be done through use of security technology and training. The best approach is to use combinations of both as the biggest weakness in this sort of thing is almost always the users. Find ways to protect them and ways to get them to protect themselves, and your risk will be significantly reduced.