Implementing some form of Multifactor Authentication (MFA) to protect user accounts has for some years been recommended as a cyber security best practice. Indeed, with credentials under constant and sophisticated attack these days, it is becoming a default in many organisations.
Naturally, the attackers won’t simply give up and have started to look for ways to beat MFA.
MFA is a patchwork of technologies and formats, meaning each form must be undermined in different ways. The best-known example is the way a spate of SIM swap attacks turned SMS two-factor authentication (2FA) from a reliable security layer into something the U.S. Government agency famously hasn’t recommended using for business security since 2016.
But What About Other Types of MFA?
An acknowledged drawback with MFA is that to gain access the user must usually do something, enter a code in addition to a password, which takes time. This affects productivity if it happens too often which, depending on how authentication policies are configured, it quickly becomes a chore.
An increasingly standard solution is to implement MFA using application push notifications. This approach allows admins to set up MFA to send a confirmation pop-up to a user’s smartphone asking them to authenticate access. The advantage is that it’s less intrusive than other types of MFA and therefore meets less user resistance.
The underlying concept is that push notifications are sent to the user’s smartphone, which is in their possession only. Problem solved? Everyone assumed so until a couple of years ago when cyber criminals started using an ingenious technique called MFA fatigue or push notification spamming to beat the system.
Compromised Credentials
A prerequisite for an MFA fatigue attack is that the criminals have compromised the user’s credentials, i.e., the password. At that point, they trigger repeated push notifications to be sent to the genuine user’s account to complete the MFA process. Most users see the requests and either ignore or decline them, assuming perhaps that the MFA system has malfunctioned. Unfortunately, in a small number of cases, the repeated requests eventually wear down the user’s patience and are approved.
Microsoft research suggests that around 1% of users fall prey to push notification spamming, more than enough to make the technique worth it for an attacker. From this, we can see that while push notification MFA is highly effective it still allows users to be socially engineered in ways that are harder or impossible with other types of MFA.
An early wave of attacks involved nation-state attackers launching MFA fatigue attacks on Office/Microsoft 365 accounts as a staging post to target the whole Active Directory infrastructure. Other service providers have also noticed an uptake in the same technique, which suggests it is only a matter of time before it will become mainstream. On that topic, in September 2022, the car-sharing company Uber reported it had fallen victim to a cyber attack, a key component of which was the use of MFA fatigue to bypass security. There have been others.
Can It Be Stopped?
Microsoft has published data on the increasing number of attacks it has detected that use MFA fatigue. With good timing in 2021, the company modified its Authenticator app (which enables push technology) to implement a feature called number matching which requires the user to enter a two-digit code (which changes with each request) to approve any push notification. Both the approver and attacker must enter this number, but only the genuine user can see it. In addition, number matching can also be configured to show the IP address geo-location of the login request to the real user as well as the application being accessed, which might raise further suspicion.
Number matching will become the default for Microsoft Authenticator from February 2023. It’s a neat solution albeit at the expense of asking the users to enter another code, the very thing push notification was supposed to avoid.
What Else Can Be Done To Counter MFA Fatigue?
One answer is to abandon passwords altogether and adopt passwordless authentication. This means that there is no password to steal so attackers have nothing to compromise to launch a fatigue attack in the first place. This also addresses the issue of phishing attacks. The downside is that passwordless authentication requires time and investment, something not every organisation can afford.
Right now, all users have heard of phishing but very few have heard of MFA fatigue attacks. Put simply, if users don’t know about the technique, it’s a certainty some of them will fall for it. The job for organisations should be to educate them by showing them how this bypass works using visuals. Don’t rely on text explanation – a visual is likely to make more of an impression.
The Bottom Line
Hackers are now targeting push notification authentication, but in this, it is far from alone. Codes generated by authentication apps have also been in the firing line. This reminds us that MFA technologies are not immune from social engineering. However, in the case of MFA fatigue attacks the critical issue is that awareness is very low. That is an open invitation to trouble.
