MFA Notification Fatigue Attacks

I can still recall my first horror movie starring a werewolf. The bad news was that a scary monster was coming. The good news, there was a way to definitively stop it – just use a silver bullet!

In real life, we have scary threat actors coming after us as well. These “monsters” are ruthless in their attack methods and are unfortunately successful too many times to count. Though we have many defensive tools in our toolbox, a fan favorite has emerged – multi-factor authentication.

Multi-factor authentication (MFA), aka two-factor authentication, is a security measure that goes beyond the traditional username and password combination by requiring additional authentication factors. These are typically categorized into:

• Something you know: passwords, PINs
• Something you have: smartphones, tokens, smart cards
• Something you are: biometrics such as facial recognition, fingerprints, voice recognition, retina

To successfully log in with MFA, users must provide at least two of these factors, not just the “something you know” username and password combo. A best practice is to use out-of-band (OOB) MFA, which means the user must use a separate communication channel or medium to verify a person’s identity. It would be far less effective to have a revolving PIN code on the user’s desktop if a threat actor has established remote command of that workstation. Instead, a push notification to your smart device or biometrics would be far more defensive approaches in comparison.

Your silver bullet is now in the chamber and ready to fire.

But wait, this method isn’t 100% effective? How is that possible because I am using OOB MFA and the threat actors cannot directly access my cell phone, and good luck trying to get into my offline smart watch!

According to CISA, one way to circumvent this protection is an attack method known as MFA push-bombing, a form of MFA fatigue attacks. Push bombing is a targeted MFA fatigue attack that involves threat actors sending excessive push notifications or alerts to users, hoping they will eventually accept or respond to the notifications out of frustration or exhaustion. To initiate a push-bombing attack, the threat actor has already compromised the user’s credentials (username and password). They will then begin a series of login attempts performed in quick succession to attempt to “fatigue” the user into approving the request in hopes of just making the notifications stop. Imagine all that protection at your back door only to let the werewolf simply walk in the front door! Though CISA and regulatory agencies encourage all organizations to consider implementing fatigue attack resistant MFA, many of us are just not there, yet.

In the interim, education can be your best defense when used in conjunction with your active authentication practices. Train your users about phishing and MFA fatigue attacks along with your traditional social engineering campaign. Teach them that the only time they should click accept is when they have sent the request during an actual login attempt initiated by them – with zero exceptions. Failing to accept a suspicious MFA prompt is the first goal. Then, to report these attempts to those in charge of IT infrastructure immediately.

Striking the right balance between security and usability is important. Consider implementing user-friendly MFA solutions in conjunction with robust Information Security Awareness education to help your organization mitigate MFA fatigue and ensure the protection of sensitive information without compromising user experience.

Authored by: Benjamin Caruso, CBISO