Every day people are bombarded with notifications. Click this, press that, beeps, alarms, dings, the list goes on and on. Sometimes you have to wonder how anybody gets anything done.
When you do something repeatedly, it becomes rote to the point that you don’t even pay attention to it anymore. Think of how many times you’ve heard someone refer to doing something “without thinking.” And every cybercriminal knows that anytime people are distracted or overwhelmed, it’s an opportunity. Actions you take automatically without any conscious emotion or deliberation are easy to exploit.
Multi-factor authentication (MFA) is widely regarded as a critical step toward improving security. Instead of only requiring a username and password to access a resource, MFA adds another “factor” to identify who you are such as push-to-approve, one-time password (OTP), biometrics, or a hardware token. MFA improves security because even if one credential is compromised, in theory, any unauthorized user wouldn’t be able to meet the second authentication requirement.
When MFA goes bad
The problem with MFA is that it can be annoying. Like every other type of notification, if you get a lot of MFA notifications, you may not pay as close attention as you should. And that’s what threat actors are counting on. They’re hoping that by eroding your users’ attention, those distracted users will give them the MFA credentials they need to authenticate into a secured environment. This tactic is referred to as “MFA fatigue,” and it’s been receiving more notice because of high-profile breaches against companies like Uber, Cisco, Twitter, Robinhood, Okta, and Office 365 users.
MFA fatigue is a type of phishing attack. In the MITRE ATT&CK framework, it’s defined it as a way to “bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.”
The way the attack works is that a hacker gets access to a username and password of an employee, which is then used to attempt a login. That triggers a multi-factor push notification, which tend to be the most vulnerable to MFA fatigue. Often the notification is a new window or pop-up box that appears on a smartphone, which asks the employee to approve or deny the request. These “Is this really you?” screens are so common that often people just click to make it go away, so they can get on with their day.
Threat actors will imitate those rote confirmations a few times, hoping to catch the user in a moment of inattention. If a few requests don’t work, hackers will up the ante. Sometimes they flood the user’s authentication program with multiple notifications, effectively spamming the person’s phone. And if that doesn’t work, they may use other social engineering tactics like calling or sending texts posing as IT staff or some other authority to convince the user to accept the MFA notification.
Much like clicking a link in a phishing email or malware site, approving an MFA notification can lead to catastrophic consequences. Once a hacker gets inside the network, they typically do their best to find ways to move around and access other critical systems. If a company has implemented various zero-trust security measures like least-privilege access, endpoint monitoring, and identity governance, they can both reduce the probability of credential compromise and prevent an attacker from doing much damage. But most companies have security gaps that can be used to gain access. In the case of the Uber attack, the intruder was able to find a script that made it possible for them to access the company’s privileged access management (PAM) platform.
Preventing MFA fatigue attacks
It may not be an exciting high-tech solution, but user education is the most important element in preventing these types of “prompt bombing” attacks from being successful. It’s much like someone knocking on your door or using a buzzer to get into your apartment building. You don’t let them in without looking out a window or asking, “who is it?” If you get a push notification, think before you click. Why would you ever approve a login request when you aren’t logging in? The answer is you absolutely shouldn’t.
Although educating users on MFA risks is critical, technology can help as well. By providing additional context within the MFA notification, users can make an informed decision whether to approve. For example, some MFA solutions display the timestamp, application, and/or location within the notification. Others display a unique login code on the web login page that must be matched to the same code in the notification. Or, consider using OTP passcodes instead of push, which tend to be more resilient in the face of these attacks. Whichever solution you chose, these techniques will reduce the possibility of end users accidentally approving requests they did not initiate.
Solutions shouldn’t be one-size-fits-all: context can also be employed to mitigate MFA Fatigue attacks by limiting the would-be attacker’s ability to spam unsuspecting users. Adaptive access and risk-based authentication can limit login requests to specific trusted locations or known devices, behavioral analytics can help detect abnormal login activity, and rate limiting can throttle consecutive unsuccessful login attempts.
When possible, consider passwordless methods as an alternative to notification-based MFA. FIDO2, for example, is specifically designed to resist “man in the middle” attacks by requiring a direct cryptographic connection between the authenticator and the web application. Even with phishing-resistant methods like FIDO, however, MFA is only as secure as the credential lifecycle. This lifecycle starts with MFA enrollment, but also includes events such as device replacement and credential resets. These activities are some of the likeliest instances for attackers to gain unauthorized access.
Finally, organizations must recognize that prevention is only half of the solution. Identity systems must also aid in the detection and remediation of attacks in progress. Consecutive login failures or excessive login attempts are two examples of potential indicators of suspicious activity. This information can be fed into security information and event management (SIEM) solutions for further investigation by Security Operations staff or used to trigger an account review in an identity governance and administration (IGA) platform.
Lower the risks
By educating users and implementing more robust controls around their MFA processes, organizations can lower the risk of MFA fatigue. It’s also important to make sure the company you’re working with has protections on their systems. RSA has a white paper that provides an overview of our security policies with information about our security measures, including our practices, operations, and controls around ID Plus. And for real-time information about our system performance and security advisories, you can visit our security page.
The RSA approach is more resilient to MFA fatigue: it’s why security-first organizations turn to us to help them protect their businesses. For more information about authentication risks and how RSA can help you move away from security that relies on passwords, check out our solution brief: Passwordless Authentication: The Time Is Now, and Help Is Here.