MFA Bombing Dismantled

Protect against account takeover fraud without causing MFA fatigue by limiting prompts to a specific time frame, leveraging push notifications with number selection, utilizing risk-based authentication, and/or going passwordless with FIDO2.

MFA bombing is a tactic, also known as an attack vector, that bad actors use to commit account takeover. Sometimes called MFA flooding, it plays on a user’s emotions by manufacturing MFA fatigue. In essence, attackers take advantage of users by sending rampant push notifications. Many users deny the prompts initially but get annoyed after receiving one every few seconds and eventually approve the request.

As multi-factor authentication (MFA) is now the identity security standard for organizations, attackers are evolving their tactics for bypassing MFA. Many organizations encourage using MFA for threat protection, but relying on users to approve authentication requests manually is now riskier than ever. Even when not under attack, organizations quickly recognize that they are losing employee productivity and customer revenue by forcing MFA too often. Over 56% of consumers have abandoned an online experience because the login process was too frustrating.¹

So, how can organizations reap the security benefits that MFA provides in the face of attacks and fatigue? There are four main options for dismantling MFA bombing. In order of increasing complexity, they are: 

1. Limiting MFA prompts to a specific timeframe 

2. Leveraging push notifications with number selection 

3. Utilizing risk-based authentication

4. Going passwordless with FIDO2

Limit the Number of Prompts in a Specific Timeframe

The easiest option to address MFA bombing is limiting the number of prompts sent to a user within a specific timeframe. Even trained users may approve a push notification after being prompted ten times, so limiting the number of prompts to three, for example, can help. Unfortunately, the user must still respond to the notification, with many approving the first push. If limiting the prompts is the only option available to an organization, it may be wise to consider this a temporary solution. 

Push Notifications with Number Selection

Another easy option to dismantle MFA bombing is using push notifications with number selection. This method forces proximity by presenting a two-digit number on the device and asking the user to select it from a list of options. For many, getting a push notification with a number selection without seeing the number on the accessing device will look suspicious, and they will report the attack. However, this method of MFA could still cause fatigue and open the door to account takeover.

Risk-Based Authentication

Beyond tweaking the settings of MFA prompts, risk-based authentication (RBA) is a more targeted option for dismantling MFA bombing. RBA limits the need for and varies the method of MFA based on different conditions. While attackers cause MFA fatigue, an organization’s cumbersome authentication policies can also be a root cause. RBA is adaptive and helps create intelligent access policies based on data inputs and risk signals. It makes authentication decisions smarter by learning the patterns of each user, device, location, network, etc., and providing a risk score. MFA policies use this score to determine whether to approve or challenge authentication and what method to use. For example, if the user attempts to log in from a known device at a known location, the risk of account takeover is low, and no MFA is required. However, if the login attempt is from an unknown device at a location that was never previously used, the risk of fraud is high and requires MFA via a QR code. 

With the right tools and configuration, low-risk users won’t experience MFA fatigue—whether caused by a bad actor or the organization itself. If prompts for MFA are rarer overall, an attacker’s attempt is less likely to slip by unnoticed. Some Ping Identity customers have reported between a 65% and 89% reduction in MFA prompts by leveraging RBA.² Check out Ping’s new RBA detection tool, PingOne Protect.

Passwordless with FIDO2

FIDO2 (Fast Identity Online), the open standard for public key cryptography, allows users to authenticate biometrically on security keys or other FIDO-compatible devices. Generally considered the most secure way to authenticate, it forces proximity between the user and the accessing device while preventing man-in-the-middle and reverse proxy attacks. Above all, FIDO2 is the backbone of the passwordless experience, so it’s both highly secure and incredibly user-friendly.

Despite the advantages, adopting FIDO2 has been relatively slow, with many roadblocks. Most of the roadblocks relate to cost and complexity. Nonetheless, FIDO2 is still one of the best options for dismantling MFA bombing.

Learn about navigating passwordless roadblocks here.

Securing users and their accounts doesn’t mean you must endure MFA fatigue. There are many tactics for dismantling MFA bombing that are secure and user-friendly, from limiting MFA prompts to a specific time frame and leveraging push notifications with number selection to utilizing risk-based authentication and going passwordless. With these options, e-commerce and financial institutions can prevent account takeover fraud and offer exceptional digital experiences. Check out Ping’s threat protection capabilities page to learn more.

Sources:

1. Ping Identity, “2021 Consumer Survey: Brand Loyalty is Earned at Login”

2. Ping Identity, 2023 Customer Verified-Outcomes, Customer Success Program

About PingIdentity

At Ping Identity, we believe in making enterprise experiences both secure and seamless for all users, without compromise. That’s digital freedom. To achieve this, the PingOne Cloud Platform turns you into an experienced artist who can bring exceptional journeys to life with a simple no-code canvas. You can deliver passwordless authentication, protect user privacy, prevent fraud, architect for zero trust, and much more. For more information, please visit www.pingidentity.com.