Multi-factor authentication (MFA) is a security technique that requires users to provide multiple forms of authentication when accessing a system or service. This means that in addition to a username and password, users must provide an additional piece of information, such as a security code or biometric data, to verify their identity. MFA is an important security measure because it adds an extra layer of protection against unauthorized access.
In the past, authentication systems typically relied on just a single factor, such as a password, to verify a user’s identity. However, this approach is not always secure, as passwords can be easily guessed or stolen. MFA addresses this problem by requiring users to provide multiple forms of authentication, which makes it much harder for attackers to gain unauthorized access.
MFA is particularly important in the context of corporate security, where protecting access to sensitive data and systems is critical. By implementing MFA, organizations can significantly reduce the risk of unauthorized access, helping to protect against cyber-attacks and other security threats.
MFA has become a standard across many organizations and has evolved into various forms based on user and organization preferences. One popular form of MFA is the use of push notifications through a mobile authenticator app. These apps allow users to easily complete or deny login requests with a simple tap on their phone.
While this method is convenient, it is also considered to be one of the weaker forms of MFA due to its ability to easily grant access with a simple push of a button.
MFA Fatigue and MFA Bombing
MFA fatigue refers to the overload of prompts or notifications the victim would receive via MFA applications. Hackers prey on this fatigue by sending repeated MFA requests to a user in a technique known as MFA bombing. This technique only works if the threat actor already has the credentials of a targeted account from a previous compromise such as phishing, brute force, or password spraying.
What happens once they have the credentials:
Once the threat actor has a victim’s credentials, they begin requesting approval to sign-in from the victim’s MFA application. The goal for the attacker is to repeatedly spam push notifications to the target’s phone requesting sign-in approval in the hopes that the target might believe there’s an issue with the MFA application and eventually approve a request to make the notifications stop. Once this happens, the threat actor gets access to everything the MFA application protects.
How to respond to an MFA bombing attack
When a user begins receiving multiple unsolicited requests from an MFA application they must change their password to that account immediately. The attacker will no longer have access to the request trigger once the user resets the password, so the requests should cease.It is also a good idea to inform the IT department or help desk as they may be able to track down the origin of the attacks and block that location.
What has been done to protect against this:
To help prevent these attacks, geo-blocking policies can be put in place to restrict sign-in activities from foreign countries or other areas where a user would never travel. Frequent password rotations may also prevent attackers from gaining access to older compromised credentials.
It is important to remember that while the attacker is trying to get access, MFA is actually preventing that hacker from compromising the system or account unless a user accidentally approves it. The MFA application may be spamming a user but it’s still doing the job and stopping unauthorized access.
Can anything else be done?
If anyone in your organization is experiencing an MFA bombing tactic or received an unexpected prompt from their authenticator app, please report it to your IT department as soon as possible.
It is also worth considering a switch to number matching or token-based authentication methods that are less susceptible to successful attacks.
Have questions about your MFA or need help assessing an ongoing security challenge? Book a consultation with a GCS security expert today. Click here.