6 ways to beat MFA fatigue attacks
Cybercriminals are always looking for ways to bypass multi-factor authentication (MFA). Learn how to secure push notifications from MFA fatigue attacks.
Published April 21, 2023Multi-factor authentication (MFA) is well-known as the most effective way for organizations to reduce the risks that arise from password compromise.
Correctly implemented, attackers find it anything from inconvenient to impossible to bypass. With MFA, it can seem as if the many well-documented vulnerabilities inherent to password security suddenly disappear.
In fact, this is a half-truth. MFA is a series of distinct technologies based on similar principles, but which vary from one another in their security and ease of use. Any one of them is markedly better than no MFA but that does not mean they are all equally secure under real world conditions.
Cybercriminals are always trying to find ways to beat MFA, something they’ve been doing with increasing success. For example, sending onetime passwords (OTPs) via SMS is no longer seen as reliably secure, and even smartphone authentication apps have proved vulnerable under some circumstances.
Recently, attackers have started attacking another popular MFA technology: push notifications.
Push notifications work by asking users to confirm a login is genuine by sending a single tap yes/no notification to their smartphone. The principle is simple – if the access is malicious the genuine user will refuse the request.
Unfortunately, attackers spotted a weakness. After logging in using stolen credentials, all they need to do to bypass the MFA layer is somehow persuade the genuine user to tap ‘yes’. In the event, most users are suspicious and refuse unexpected requests. However, a tiny number – perhaps 1% Microsoft reckons – will approve it the first time. A slightly higher percentage will simply ignore it. In the latter case, the attackers try again and again, spamming the user in the hope they will eventually accept the request without studying it closely.
Called MFA fatigue, since 2021 this technique features in a growing number of incidents such as the Uber breach by Lapsus$, Cisco’s network breach, and an attack campaign targeting Microsoft 365 users. The attackers have also added additional layers to the MFA fatigue’s social engineering MO. For example, some pose as IT support people and phone up targeted users to persuade them to accept a push notification.
A closer look at these incidents reveals that the underlying weakness wasn’t push notification but the weak way it had been implemented. These issues can be addressed in a variety of ways:
The most direct solution is to optimize your MFA authentication processes. You can enhance MFA security by:
Limiting the number of unsuccessful access attempts within a certain timeframe
Creating automatic alerts and responses to block the user when unsuccessful access attempts pass a certain threshhold
Adding geolocation restrictions
Restricting access outside of specific timeframes
Adjusting frequency and circumstances of authentication requests
This is simple to implement and can be effective, but of course doesn’t remove the possibility that the attacker will resort to backup forms of social engineering, such as social engineering the target using a phone call.
Details such as geographical location, device type, and time to make rogue requests easier to spot.
That might look like opting for hardware tokens for privileged users, while retaining push notifications for standard users.
Of course, it’s important to educate users so they can identify MFA fatigue attacks. They should know to be suspicious of repeat authentication requests. And yes, this sounds incredibly basic (we know!). But, a major component of successful MFA fatigue attacks is ignorance of their existence.
Give users a way to report rogue requests (refused push notifications could be evidence of compromised credentials).
As with any form of MFA, push notification authentication is always about balancing security with ease of use.
If too many checks are added to make push notification harder to bypass, this risks creating extra workload for the user. After all, the whole reason behind using push notifications is to access a more frictionless way to do MFA.
So, what’s the best balance? The answer is almost certainly different for each unique organization.
When deciding whether to offer push notifications to their users, IT teams will surely take into account the type of user, whether the user is on-site or off-site, and a number of other factors. For example, they might prefer that admins use hardware tokens like YubiKey and Token2, while they roll MFA out across their average users with push notifications.
And the more MFA push solutions make it easy for IT teams to customize around how and when they require push notifications, the easier it will be for organizations to hit the right balance.
Push notification has flourished because it is incredibly easy to use. The user simply agrees or disagrees that an authentication request is genuine with a single tap. But it is that very simplicity and speed attackers realized could be exploited to socially engineer users with a barrage of rogue requests.
This mirrors the way other forms of MFA such as OTPs sent via SMS have been undermined by bypass attacks. In fact, while any MFA is always better than no MFA, no type of MFA should be seen as completely immune from the possibility of bypass.
The good news is that, unlike SMS OTPs, the vulnerabilities underpinning push notification attacks can be addressed. Most notably by implementing more granular controls such as rate limiting, adding extra information to notifications, and by educating users to be wary of notification spam.
As the list of mitigations makes clear, push notification remains a secure and easy-to-use form of authentication as long as its weaknesses are carefully addressed.
For even more security, push apps like UserLock’s go further by showing the:
Geographical location of the authentication request,
Device it was requested from, and
Time of the request.
This way, users can more easily spot a bogus request. If a user refuses a push notification request as bogus, they are prompted to change their password immediately and contact the network administrator.
The UserLock Push app offers frictionless 2FA push authentications for Active Directory identities’ access to multiple connections including RDP, RD Gateway, RDWeb, VPN, IIS, and SaaS.