What is purple team security → OWASP Top 10 mapped to cloud infrastructure → Cloud security breaches 2020–2025 → Broken access control in AWS → MFA fatigue attacks
TL;DR
- An MFA fatigue attack exploits push-notification MFA (Duo, Okta Verify, Microsoft Authenticator) by flooding a user with push requests until they accept one — either out of exhaustion or after social engineering
- Uber (September 2022): contractor credentials purchased on a criminal marketplace → repeated Duo push notifications → WhatsApp social engineering → push accepted → admin PAM credentials found on internal file share → full access to AWS, GCP, Slack, HackerOne
- The attack works because push MFA creates a UX habit: “tap accept” is a trained response, not a decision
- Detection: multiple MFA failures followed by a single success in a short window — Okta System Log, Azure AD Sign-in Log, AWS CloudTrail
- The structural fix is replacing push MFA with phishing-resistant FIDO2 hardware keys — not security awareness training, not more push notifications, not “number matching” alone
- Okta (October 2023): support system breach exposed session tokens → attackers bypassed MFA entirely by using stolen session context
OWASP Mapping: A07 Identification and Authentication Failures. The Uber breach is the defining infrastructure example. Okta demonstrates session token theft as a related A07 variant.
The Big Picture
┌─────────────────────────────────────────────────────────────────────┐
│ MFA FATIGUE ATTACK ANATOMY │
│ │
│ STEP 1: OBTAIN CREDENTIALS │
│ Attacker ──── phish / buy on market ──────▶ username + password │
│ │
│ STEP 2: TRIGGER MFA FLOOD │
│ Attacker ──── repeated login attempts ────▶ Push #1 → User: NO │
│ Push #2 → User: NO │
│ Push #3 → User: NO │
│ Push #4 → User: ??? │
│ │
│ STEP 3: SOCIAL ENGINEERING LAYER │
│ Attacker ──── "Hi, I'm from IT support. │
│ Please accept the next push." │
│ Push #4 → User: YES │
│ │
│ STEP 4: ACCESS │
│ Attacker ──── authenticated session ──────▶ Internal network │
│ Enumerate shares │
│ Find next credential │
│ │
│ ═══════════════════════════════════════════════════════ │
│ WHY TRAINING DOESN'T HELP: │
│ Push MFA trains users to tap accept. The attacker exploits │
│ the trained behavior. Education competes with habit. │
│ │
│ WHY HARDWARE KEYS DO: │
│ FIDO2 requires physical presence. WhatsApp message │
│ cannot accept a hardware key challenge. │
└─────────────────────────────────────────────────────────────────────┘
An MFA fatigue attack is how you bypass multi-factor authentication without breaking encryption or stealing the MFA seed — you exploit the user’s psychology and the UX of push-notification systems. The attacker knows the password. The only thing standing between them and access is the user’s willingness to tap “deny” indefinitely.
The Uber Breach: Anatomy Minute by Minute
September 15, 2022. The attacker’s capabilities: a purchased credential set for an Uber contractor account, a phone number, and patience.
The credential acquisition: Uber contractor credentials were available on criminal marketplaces. The attacker obtained a valid username and password for an Uber contractor’s Uber corporate account.
The MFA flood:
The contractor’s account had Duo push-based MFA enrolled. The attacker initiated login attempts repeatedly, triggering a sequence of Duo push notifications to the contractor’s phone. The contractor rejected three or four of them. At this point, most attacks would stop — but the attacker added a social engineering layer.
The WhatsApp message:
The attacker sent a WhatsApp message to the contractor’s number, claiming to be from Uber IT support:
“Hi, this is the Uber IT support team. We’re seeing some issues with your account and need you to approve the next Duo notification to verify your identity.”
The contractor accepted the next push notification.
Post-authentication enumeration:
With an authenticated session, the attacker accessed Uber’s internal network. On an internal network share accessible to contractors, they found a PowerShell script. In that script: hardcoded Thycotic admin credentials. Thycotic is a Privileged Access Management (PAM) system — it stores credentials for privileged accounts across an organization.
The blast radius:
With Thycotic admin access, the attacker retrieved credentials for:
– AWS IAM accounts
– GCP service accounts
– Google Workspace admin
– VMware vSphere
– Slack workspace admin
– HackerOne bug bounty program admin (including details of open security reports)
The entire Uber infrastructure was accessible from one contractor’s push notification acceptance.
What Uber’s logs showed:
2022-09-15T02:17:00Z [Duo] [email protected] action=push_sent result=rejected
2022-09-15T02:17:45Z [Duo] [email protected] action=push_sent result=rejected
2022-09-15T02:18:30Z [Duo] [email protected] action=push_sent result=rejected
2022-09-15T02:19:15Z [Duo] [email protected] action=push_sent result=rejected
2022-09-15T02:22:00Z [Duo] [email protected] action=push_sent result=approved
2022-09-15T02:22:05Z [VPN] [email protected] connection=established ip=<attacker>
Four rejections followed by one approval in a five-minute window. This is a detectable pattern — but only if someone is looking for it.
Red Phase: Simulating MFA Fatigue
What the Attack Looks Like in Tooling
MFA fatigue attacks are conducted manually — an attacker with valid credentials and knowledge of which MFA system the target uses. No special tooling is required for the attack itself. What can be simulated:
Option 1: Repeated legitimate login attempts (test account only)
# DO NOT run against production accounts or accounts you don't own
# Using Okta API to authenticate (test environment only)
TEST_USERNAME="[email protected]"
TEST_PASSWORD="TestPassword123!"
OKTA_DOMAIN="your-org.okta.com"
for i in {1..5}; do
echo "Attempt $i at $(date +%T)"
response=$(curl -s -X POST \
"https://${OKTA_DOMAIN}/api/v1/authn" \
-H "Content-Type: application/json" \
-d "{\"username\": \"${TEST_USERNAME}\", \"password\": \"${TEST_PASSWORD}\"}")
status=$(echo "$response" | jq -r '.status')
echo " Status: $status"
if [ "$status" = "MFA_CHALLENGE" ]; then
state_token=$(echo "$response" | jq -r '.stateToken')
factor_id=$(echo "$response" | jq -r '._embedded.factors[] | select(.factorType == "push") | .id')
echo " Factor ID: $factor_id (push notification triggered)"
# In a real attack, the attacker would poll for the MFA response:
echo " Waiting 10 seconds for user to respond..."
sleep 10
fi
sleep 30 # Wait between attempts to avoid rate limiting
done
Option 2: Tabletop exercise (no credentials required)
For organizations that cannot run live credential tests, the tabletop simulation maps the attack against your specific IdP logs. Pull 30 days of authentication logs and look for the pattern:
# Okta System Log: find users with multiple MFA failures followed by success
curl -H "Authorization: SSWS ${OKTA_API_TOKEN}" \
"https://your-org.okta.com/api/v1/logs?filter=eventType+eq+\"user.authentication.auth_via_mfa\"&limit=1000" | \
jq '
group_by(.actor.id) |
map({
user: .[0].actor.displayName,
total: length,
failures: [.[] | select(.outcome.result == "FAILURE")] | length,
successes: [.[] | select(.outcome.result == "SUCCESS")] | length
}) |
sort_by(.failures) |
reverse |
.[0:20]
'
Users with high failure counts followed by eventual success are the fatigue attack pattern. Some will be legitimate (user locked themselves out, then called IT). The ones to investigate are those where the failure-to-success sequence happened in a short window (under 30 minutes) and from an unusual IP.
Blue Phase: Detection Across Identity Providers
Okta: Push Notification Flood
# Okta System Log — detect repeated push failures from same user
# Query for: >3 push failures within 10 minutes for same user
curl -H "Authorization: SSWS ${OKTA_API_TOKEN}" \
"https://your-org.okta.com/api/v1/logs?filter=eventType+eq+\"user.authentication.auth_via_mfa\"+and+outcome.result+eq+\"FAILURE\"&since=$(date -u -d '24 hours ago' +%Y-%m-%dT%H:%M:%SZ)" | \
jq '
group_by(.actor.id, (.published[0:16])) |
map(select(length >= 3)) |
map({
user: .[0].actor.displayName,
window: .[0].published[0:16],
failure_count: length,
ips: [.[].client.ipAddress] | unique
})
'
Azure AD: Conditional Access Logs
# Azure AD: MFA push denial flood detection (using Azure CLI)
az monitor activity-log list \
--start-time "$(date -u -d '24 hours ago' +%Y-%m-%dT%H:%M:%SZ)" \
--query "[?contains(operationName.value, 'MFA')].{user:caller,time:eventTimestamp,result:status.value}" \
--output table
In Microsoft Sentinel, the detection rule for MFA fatigue:
// Azure AD MFA Fatigue Detection — Sentinel KQL
SigninLogs
| where TimeGenerated > ago(24h)
| where AuthenticationRequirement == "multiFactorAuthentication"
| where ResultType != "0" // Non-success
| summarize
FailureCount = count(),
SuccessCount = countif(ResultType == "0"),
IPs = make_set(IPAddress),
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated)
by UserPrincipalName, bin(TimeGenerated, 10m)
| where FailureCount >= 3
| where SuccessCount >= 1
| where datetime_diff('minute', EndTime, StartTime) <= 30
| project UserPrincipalName, FailureCount, SuccessCount, IPs, StartTime, EndTime
| order by FailureCount desc
AWS CloudTrail: Console Session After MFA Flood
If your organization uses AWS SSO (IAM Identity Center) with an external IdP, the CloudTrail event that matters is the console login event immediately following the MFA success:
# Find AWS console login events from unusual IPs
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin \
--start-time "$(date -d '24 hours ago' --iso-8601=seconds)" \
--query 'Events[].{Time:EventTime,User:Username,IP:CloudTrailEvent}' \
--output json | \
jq '.[] | {
time: .Time,
user: .User,
ip: (.IP | fromjson | .sourceIPAddress),
mfa: (.IP | fromjson | .additionalEventData.MFAUsed)
}'
What a GuardDuty Alert Looks Like for This Attack
GuardDuty does not generate a specific finding for MFA fatigue (it does not have visibility into IdP logs). What it may catch downstream:
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B— console login from unusual geographic location or Tor exit nodeDiscovery:IAMUser/AnomalousBehavior— if the attacker begins enumerating IAM after console access
The gap: GuardDuty’s behavioral analysis is per-account. If the attacker logs in using valid credentials and MFA, GuardDuty may not flag the initial access — only downstream actions that deviate from baseline.
Purple Phase: The Structural Fix
Fix 1: Replace Push MFA with FIDO2 Hardware Keys (for Tier-0 Accounts)
This is the only structural fix. MFA fatigue attacks work because push notifications can be approved by a human who is socially engineered. FIDO2 hardware keys (YubiKey, Google Titan, etc.) require physical possession of the key and a user gesture (touch). A WhatsApp message cannot substitute for physical key presence.
# Okta: Require hardware key MFA for admin accounts
# (done via Okta Admin Console → Security → Authentication Policies)
# CLI example using Okta API:
# Create a new authentication policy requiring hardware authenticator
curl -X POST \
"https://your-org.okta.com/api/v1/policies" \
-H "Authorization: SSWS ${OKTA_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "Admin Hardware Key Policy",
"type": "ACCESS_POLICY",
"status": "ACTIVE",
"description": "Requires FIDO2 hardware key for admin access"
}'
Phasing hardware keys across an organization:
| Tier | Examples | Timeline |
|---|---|---|
| Tier 0 — immediate | Cloud admin, IAM admin, Okta admin, DNS admin | Week 1 |
| Tier 1 — 30 days | All engineers with production access | Month 1 |
| Tier 2 — 90 days | All employees with SSO access | Month 3 |
| Contractors | Scope-limited access, enforce at boundary | Immediate |
Fix 2: Number Matching (Intermediate Mitigation)
If hardware keys cannot be deployed immediately, number matching significantly reduces MFA fatigue effectiveness. Instead of a simple “approve/deny” push, the user must match a number shown on the login screen to a number shown in the authenticator app. This breaks the fatigue pattern — the attacker cannot trigger an approval without the user actively entering the correct number.
# Duo: Enable number matching
# Duo Admin Console → Policies → Duo Push Number Matching: Required
# Microsoft Authenticator: Enable number matching
# Azure AD → Security → Authentication methods → Microsoft Authenticator
# Enable: "Require number matching for push notifications"
# Okta Verify: Enable TOTP-bound push
# Okta Admin → Security → Multifactor → Okta Verify → Enable "Number Challenge"
Fix 3: Detect and Block — Automated Response to Fatigue Pattern
#!/usr/bin/env python3
# Purple Team EP05 — MFA Fatigue Auto-Response
# Monitors Okta System Log; suspends user on fatigue pattern detection
# Run as a Lambda function or scheduled script in your SIEM pipeline
import boto3
import requests
import json
from datetime import datetime, timedelta
OKTA_DOMAIN = "your-org.okta.com"
OKTA_TOKEN = "your-okta-api-token" # use Secrets Manager in production
SNS_TOPIC_ARN = "arn:aws:sns:us-east-1:123456789012:security-alerts"
def get_recent_mfa_events(hours=1):
since = (datetime.utcnow() - timedelta(hours=hours)).strftime("%Y-%m-%dT%H:%M:%SZ")
url = f"https://{OKTA_DOMAIN}/api/v1/logs"
params = {
"filter": 'eventType eq "user.authentication.auth_via_mfa"',
"since": since,
"limit": 1000
}
headers = {"Authorization": f"SSWS {OKTA_TOKEN}"}
response = requests.get(url, params=params, headers=headers)
return response.json()
def detect_fatigue_pattern(events, failure_threshold=3, window_minutes=10):
user_events = {}
for event in events:
user_id = event["actor"]["id"]
user_name = event["actor"]["displayName"]
result = event["outcome"]["result"]
timestamp = event["published"]
if user_id not in user_events:
user_events[user_id] = {"name": user_name, "events": []}
user_events[user_id]["events"].append({"result": result, "time": timestamp})
fatigue_users = []
for user_id, data in user_events.items():
events_sorted = sorted(data["events"], key=lambda x: x["time"])
failures = [e for e in events_sorted if e["result"] == "FAILURE"]
if len(failures) >= failure_threshold:
# Check if a success followed the failures
last_failure_time = failures[-1]["time"]
successes_after = [
e for e in events_sorted
if e["result"] == "SUCCESS" and e["time"] > last_failure_time
]
if successes_after:
fatigue_users.append({
"user_id": user_id,
"user_name": data["name"],
"failure_count": len(failures),
"success_after_failures": True
})
return fatigue_users
def alert_security_team(fatigue_users):
sns = boto3.client("sns")
message = f"MFA FATIGUE ALERT — {len(fatigue_users)} user(s) detected:\n"
for user in fatigue_users:
message += f" - {user['user_name']}: {user['failure_count']} failures then success\n"
sns.publish(
TopicArn=SNS_TOPIC_ARN,
Subject="Purple Team: MFA Fatigue Attack Detected",
Message=message
)
def lambda_handler(event, context):
events = get_recent_mfa_events(hours=1)
fatigue_users = detect_fatigue_pattern(events)
if fatigue_users:
alert_security_team(fatigue_users)
return {"fatigue_users_detected": len(fatigue_users)}
Fix 4: Privileged Access Workstations and Session Recording
The Uber breach succeeded because the attacker found hardcoded credentials on a file share accessible to contractors. The downstream fix after identity:
# Ensure no scripts or configuration files contain credentials
# Run TruffleHog against your internal repositories and file shares
trufflehog filesystem /path/to/internal/share \
--json \
--include-detectors=all \
2>/dev/null | \
jq '{file: .SourceMetadata.Data.Filesystem.file, detector: .DetectorName, verified: .Verified}'
Run This in Your Own Environment: MFA Audit
#!/bin/bash
# Purple Team EP05 — MFA Coverage Audit
# Checks for push-MFA users who are A07 exposure without hardware key enrollment
echo "=== AWS: Console Users Without MFA ==="
aws iam generate-credential-report > /dev/null 2>&1
sleep 5
aws iam get-credential-report --query 'Content' --output text | base64 -d | \
awk -F',' 'NR>1 && $4=="true" && $8=="false" {
print " USER: " $1 " | Console: " $4 " | MFA: " $8
}'
echo ""
echo "=== AWS: IAM Users with Long-Lived Access Keys (rotation risk) ==="
aws iam get-credential-report --query 'Content' --output text | base64 -d | \
awk -F',' 'NR>1 && $9!="N/A" {
cmd = "date -d " $10 " +%s"
cmd | getline key_date; close(cmd)
now = systime()
age_days = int((now - key_date) / 86400)
if (age_days > 90) print " USER: " $1 " | KEY AGE: " age_days " days"
}'
echo ""
echo "=== RECOMMENDATION ==="
echo " - Any console user without MFA = immediate A07 exposure"
echo " - For accounts with Okta/Azure AD: run IdP-specific audit above"
echo " - Hardware FIDO2 keys required for all admin accounts"
⚠ Common Mistakes When Responding to MFA Fatigue Risk
Mandating security training as the primary response. The Uber contractor was experienced. Training did not fail — the attacker exploited a social engineering vector that training cannot structurally prevent. Hardware keys remove the social engineering surface entirely.
Implementing “number matching” and considering MFA fatigue solved. Number matching makes fatigue attacks harder, not impossible. A sophisticated attacker can relay the number in real time via voice call (“what number do you see on your screen?”). It buys time; it does not eliminate the attack class.
Requiring MFA for employees but not contractors. The Uber breach was a contractor account. Contractor access policies tend to have looser MFA requirements because contractors often resist corporate MDM on personal devices. The solution is to scope contractor access tightly and require hardware key MFA at the access boundary, not push MFA.
Not monitoring for the failure-then-success pattern. The Okta System Log, Azure AD Sign-in Logs, and Duo Admin Panel all have the data to detect MFA fatigue in real time. Most organizations generate these logs but do not have detection rules for the pattern. The detection is straightforward; the investment is adding the rule to your SIEM.
Forgetting session tokens. The Okta breach was not MFA fatigue — it was session token theft. An attacker who can steal a valid session token does not need to beat MFA at all. Session token lifetime, storage security, and re-authentication requirements for sensitive operations are separate controls that address this variant.
Quick Reference
| Attack Variant | Mechanism | Structural Fix |
|---|---|---|
| Push notification flood | Attacker initiates logins repeatedly until user accepts | FIDO2 hardware key MFA |
| Social engineering layer | Attacker contacts user claiming to be IT support | Hardware key (physical presence required) |
| Session token theft | Steal valid session without needing MFA at all | Short session lifetime + re-auth for sensitive ops |
| Number matching bypass | Relay number via voice call in real time | Hardware key (no relay possible) |
| SIM swap | Port victim’s phone number to attacker’s SIM; receive OTP | Hardware key (phone-independent) |
Key Takeaways
- An MFA fatigue attack exploits push notification UX — training users to tap “deny” competes with a trained habit of tapping “accept”; hardware keys eliminate the attack surface by requiring physical presence
- The Uber breach (2022) was MFA fatigue + hardcoded credentials in a file share — two OWASP categories chained (A07 + A02)
- Detection is straightforward: multiple MFA failures followed by a success in a short window — this pattern exists in every IdP’s logs; adding the detection rule is the work
- Number matching is a meaningful intermediate mitigation; it is not a structural fix
- Hardware FIDO2 keys are the structural fix — they require physical presence and are phishing-resistant by design
- Tier-0 accounts (cloud admin, IAM admin, Okta admin) cannot wait for the phased rollout — hardware keys on day one
- Session token theft (CircleCI, Okta support breach) is a related A07 variant: even perfect MFA is bypassed if a valid session token is exfiltrated
What’s Next
EP06 covers CI/CD secrets exposure — how pipeline breaches work, why storing credentials in environment variables is structurally dangerous, and how the CircleCI breach exposed secrets that teams thought were safely stored. The structural answer is OIDC workload identity (IAM EP07): short-lived credentials that cannot be exfiltrated because they don’t exist until the moment they’re needed.
Get EP06 in your inbox when it publishes → subscribe at linuxcent.com
