How to prevent multifactor authentication fatigue attacks
There is a new wave of infections spreading throughout the world that has nothing to do with COVID or, for that matter, any other physical disease.
Called multifactor authentication fatigue, it’s highly contagious and spreads through the deception of determined hackers who want to steal users’ account details.
But here is the irony: The more MFA a company uses, the greater the chance that a potential MFA fatigue attack will succeed. It’s a sign that MFA methods have matured and “that we have reached a level with MFA where adversaries are incentivized to work around this control,” Jennifer Golden of Cisco Systems Inc.’s Duo wrote in this blog post last year.
We have written numerous times the recommendation to employ MFA across a business’ digital assets as a primary defensive tactic, including this story from last year about how security startup Xage Security Inc. can defeat MFA fatigue.
This attack goes under a variety of names, including push or prompt bombing, MFA spam or notification fatigue. The idea is simple: Send a potential target user a series of text messages asking for a onetime password to complete the MFA process for a particular account.
For it to work, a bad actor needs to have a user’s credentials, stolen in another instance and obtained from a dark web listing or received from a social engineering ploy. The stolen information could include a recovery email address or the username-password combination for a particular account.
The MFA request is then repeatedly sent to the user’s mobile phone, which could eventually wear someone down to give up the onetime code. Some users might think there is a problem with the MFA application itself and just get tired of all the messages – hence the “fatigue” label.
“Often, a victim will push ‘Yes’ in the hopes of stopping the notifications from occurring,” according to BeyondTrust’s blog. “The victim may think it’s a simple application malfunction or a test, or just want the notifications to end out of annoyance.”
That’s what happened in separate attacks at Uber Inc. and Twilio Inc. last year: Attackers persuaded a single employee in both organizations to enter MFA codes into a phony website that was a replica and controller by the attackers. The attackers don’t have to be very sophisticated: In Uber’s case, it was a teen who contacted the target user via WhatsApp and claimed to be from the IT department to give the request more credibility. As Arctic Wolf Networks Inc. said in a recent blog, “Using that second form of social engineering along with an MFA fatigue attack can be effective for threat actors, as it creates a false sense of trust.”
Part of the problem is that most modern MFA methods include a usability feature that sends notifications to the user’s email or phone. These messages sometimes just require a user to click on the message without any further interaction, which is what the attackers count on when sending multiple messages within a short time period.
How to stop the fatigue attacks
To be more proactive at fighting MFA fatigue, businesses need to do several things concurrently. This is, of course, assuming that MFA has already been implemented. Although that is a good first step, there are other elements that should happen to ensure any MFA program is as effective as possible.
First, a company should adopt the better authentication methods that support the Fast Identity Online or FIDO2 standards, such as passwordless methods and hardware keys. These methods defeat the fatigue-based attacks because the login credentials can’t be as easily duplicated by the attacker.
Second, authentication should be risk-based and dynamically step up security requirements automatically based on what users are doing at any given moment. The old ways of using a single access control when a user logs in need to be replaced accordingly. There are a number of authentication products that offer this feature, which I reviewed last year for CSOonline here.
Next, user education is important. Arctic Wolf recommends that users be more suspicious about notifications, especially if they appear at odd hours or from an unusual locale or phone number. They suggest including a module on MFA fatigue in any user awareness training program.
That should include information on how to better protect user credentials. Arctic Wolf also recommends removing all push MFA notifications entirely, especially when the prompt requires only a single acknowledgment click.
BeyondTrust recommends that MFA configurations be hardened to reduce times between MFA requests, that firms limit and log the number of failed access attempts, and that they add geolocation and biometric requirements. It has several other suggestions on its blog, including hardening systems to reduce a potential attack surface, enforcing least-privilege methods, and eliminating stagnant or unused credentials from employees who have long since departed the company.
That’s certainly a long to-do list, which admittedly carries its own fatigue elements. And that’s what the attackers are counting on. However, all of these steps should be adopted as part of a larger security program to improve the effectiveness of MFA.
Image: Pixabay
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU