Prevent MFA Bombing & Fatigue: A Guide for Businesses

Zero Trust security models call for the use of multi-factor authentication (MFA) to ensure that only authorized users may access protected IT resources. Many organizations are adopting MFA to add a layer of security for remote workers. Customer-facing organizations are also implementing MFA to mitigate identity-based attacks, such as phishing, and to help quash the rise in account takeover fraud.

For five consecutive years, the leading cause of breaches has been compromised credentials — in other words, the use of stolen passwords. MFA renders the use of stolen credentials futile, as attackers are highly unlikely to have access to a user's other authentication factors, such as a mobile phone.

Microsoft has stated that using MFA may stop 99% of password-related attacks within an enterprise, so an increasing number of enterprises have begun to require MFA before granting account access. That's the good news. 

The bad news is that attackers are now evolving their tactics for bypassing MFA - and are finding some success. 

Many organizations encourage using MFA for threat protection, but relying on users to approve authentication requests manually is now riskier than ever due to tactics such as MFA Bombing.

MFA bombing is a tactic, also known as an attack vector, that bad actors use to commit account takeover. Sometimes called MFA flooding, it plays on a user’s emotions by manufacturing MFA fatigue. In essence, attackers take advantage of users by sending rampant push notifications. Many users deny the prompts initially but get annoyed after receiving one every few seconds and eventually approve the request.

How Does MFA Bombing Start?

Fraudsters initiate MFA fatigue and subsequent carelessness in users following a sophisticated order of operations. In order for MFA bombing attacks to be successful, the following events must take place:

User Credentials & Information Are Collected

As is commonly seen with online fraud, the MFA bombing attack process begins with compromised login credentials. Today’s shrewd and methodical fraudsters have developed a number of effective ways to steal people’s usernames and passwords. Sometimes cybercriminals purchase stolen identity data from other fraudsters. In other instances, they might acquire user credentials themselves by way of scams like social engineering or phishing attacks.

Stolen Credentials Are Used to Send MFA Push Notifications

With compromised usernames and passwords in hand, fraudsters then target an online service known to use push notifications for MFA. Interestingly, the goal here isn’t to circumvent MFA barriers, but rather create a situation where a user is overwhelmed by the very push notifications that are designed to protect them.

The actual attack occurs when the fraudster attempts to log in to a user’s account. Some fraudsters send a few notifications a day so as to not cause alarm, while others overwhelm users with a rapid-fire succession of login attempts. Since they can be extremely disruptive and annoying, mobile push notifications are the most effective tool for fraudsters.

The criminal continues with login attempts until the user authenticates simply to stop the incoming notifications. Once the victim verifies their identity, the fraudster then has free access to sensitive materials that lie beyond MFA barriers.

MFA is under attack

While MFA is a vast improvement over a simple username and password combination, there are ways that MFA can be compromised, including:

• Man-in-the-middle (MitM) attacks: Fraudsters position themselves between organizations (such as financial institutions) and users to intercept, edit, send, and receive communications without being noticed.
• SIM-card swapping attacks: A cybercriminal uses social engineering tactics to transfer a user's mobile phone number to a new SIM card owned by the criminal. If such an attack is successful, the victim's apps, including banking apps, can be activated on the impersonator's phone.
• Pass-the-cookie attacks: A session or authentication cookie can be stolen and injected into a new web session to trick the browser into thinking the authenticated user is present and does not need to prove their identity.

MFA fatigue attacks (aka MFA spamming or MFA prompt bombing): The MFA fatigue attack relies on people to be distracted, careless, or frustrated by frequent requests to authenticate. As a new form of social engineering, MFA fatigue raises considerable security concerns.

What is MFA Fatigue?

Sometimes, as a means to an end, people will engage in behavior that they know is borderline unsafe. Who amongst us hasn't disabled a smoke alarm to make the low-battery alert stop its intermittent screeching? MFA fatigue attacks rely on similar human impulses, which ultimately make users vulnerable to MFA bombardment.

With MFA prompt bombing, attackers attempt to get access to an account or device by flooding a user's authentication app with push notifications. As mentioned above, some attackers send a few push notifications a day thinking they will fly under the radar, while others bombard the user with continuous messages, but the intended outcome in either approach is the same: to get users to authorize access in order to make the notifications stop, thereby granting access to the attacker.

So, how can organizations reap the security benefits that MFA provides in the face of attacks and fatigue? There are four main options for dismantling MFA bombing. In order of increasing complexity, they are: 

1. Limit MFA prompts to a specific timeframe

2. Push notifications with additional context

3. Push notifications with number selection

4. Risk-based authentication

5. Passwordless with FIDO2

6. User education

Limit the Number of Prompts in a Specific Timeframe

The easiest option to address MFA bombing is limiting the number of prompts sent to a user within a specific timeframe. Even trained users may approve a push notification after being prompted ten times, so limiting the number of prompts to three, for example, can help. Unfortunately, the user must still respond to the notification, with many approving the first push. If limiting the prompts is the only option available to an organization, it may be wise to consider this a temporary solution.

Push Notifications

Push-based MFA has a number of advantages: the underlying technology is considered secure, end users always get notified if somebody tries to authenticate with their credentials, and it provides a superior and easy user experience compared to other MFA options (think OTPs). However, the back-channel nature of this MFA method puts users in a risky position because they can approve a request even if they are far away from the actual browser that triggered the authentication.

Push Notifications With Additional Context

The push notification with context feature lets you keep your users safe from MFA attacks by sending them additional context. When users are presented with a push notification request, they are provided contextual information about the request, such as where the request came from, information about the device, the user agent, or other signals.

When the push notification is received, the user can review the contextual authentication information, decide whether it is legitimate, and accept it or reject it.

Push Notifications With Number Selection

Push notifications with number selection are another easy option to help stop MFA bombing. This is because this method forces proximity by presenting a two-digit number on the device and asking the user to select it from a list of options. For many, getting a push notification with a number selection without seeing the number on the accessing device will look suspicious, and they will report the attack. 

Although this goes further than simply limiting the number of prompts, both of these push-based MFA options could still cause fatigue and open the door to account takeover. Fortunately, organizations have several other methods available to them that can help them take on the MFA fatigue challenge.

Risk-Based Authentication

Beyond tweaking the settings of MFA prompts, risk-based authentication (RBA) is a more targeted option for dismantling MFA bombing. RBA limits the need for and varies the method of MFA based on different conditions. While attackers cause MFA fatigue, an organization’s cumbersome authentication policies can also be a root cause. RBA is adaptive and helps create intelligent access policies based on data inputs and risk signals. It makes authentication decisions smarter by learning the patterns of each user, device, location, network, etc., and providing a risk score. MFA policies use this score to determine whether to approve or challenge authentication and what method to use. For example, if the user attempts to log in from a known device at a known location, the risk of account takeover is low, and no MFA is required. However, if the login attempt is from an unknown device at a location that was never previously used, the risk of fraud is high and requires MFA, perhaps via a QR code.

With the right tools and configuration, low-risk users won’t experience MFA fatigue. If prompts for MFA are rarer overall, an attacker’s attempt is less likely to slip by unnoticed. Some Ping Identity customers have reported between a 65% and 89% reduction in MFA prompts by leveraging RBA¹ with Ping’s new RBA detection tool, PingOne Protect.

Passwordless with FIDO2

FIDO2 (Fast Identity Online), the open standard for public key cryptography, allows users to authenticate biometrically on security keys or other FIDO-compatible devices. Generally considered the most secure way to authenticate, it forces proximity between the user and the accessing device while preventing man-in-the-middle and reverse proxy attacks. Above all, FIDO2 is the backbone of the passwordless experience, so it’s both highly secure and incredibly user-friendly.

Despite the advantages, adopting FIDO2 has been relatively slow, with many roadblocks. Most of the roadblocks relate to cost and complexity. Nonetheless, FIDO2 is still one of the best options for dismantling MFA bombing, and leads to an impressive improvement in customer experience.

Learn about navigating passwordless roadblocks here.

User Education

Organizations must put strong security tools in place in order to protect themselves and their users, but user education is another key part of stopping MFA bombing attacks. This notion is particularly true for certain segments of the population like the elderly who might not be as current with modern smartphone technology.

Organizations should educate users on their MFA policies so people know what to expect when they log in to a digital property. Beyond that, teaching users about online fraud techniques like MFA bombing is a great way to spread awareness - while also giving them the tools to protect themselves

Securing users and their accounts doesn’t mean you must endure MFA fatigue. There are many tactics for dismantling MFA bombing that are secure and user-friendly, from limiting MFA prompts to a specific time frame and leveraging push notifications with context or number selection to utilizing risk-based authentication and going passwordless. With these options, organizations can prevent account takeover fraud and offer exceptional digital experiences.

Sources:

1. Ping Identity, 2023 Customer Verified-Outcomes, Customer Success Program