Protect clients from MFA fatigue attacks

These push notification attacks can be devastating, but the proper privilege and access management strategy can stop them in their tracks.

Sinan Eren, Vice President, Zero Trust Security, Barracuda

The growth of stolen credentials on the dark web has made it essential for users to implement an additional authentication requirement for identity verification. Multi-factor authentication (MFA) is a layered approach to securing data and applications where a user is required to present a combination of two or more credentials to verify their identity before they can login. 

Unfortunately, hackers are finding ways around these protections. One increasingly popular tactic is known as an MFA fatigue attack. In these attacks, hackers bombard victims’ authentication apps with push notifications to trick them into authenticating their login attempts. Attackers typically gain the victim’s credentials using a brute force attack, email phishing, or other techniques. Then, with those credentials in hand, they initiate manual or automated push notification spamming until the user accepts the authentication request.

Sometimes, the attacker sends an email or message or calls the user pretending to be IT support and asking the user to approve the MFA prompt. Unfortunately, the targeted user often doesn’t know they’re authorizing a rogue request.

The highest profile of these multi-factor authentication fatigue attacks occurred at Uber in September. According to the company, the attacker purchased a contractor’s Uber corporate password on the dark web after the contractor’s personal device had been infected with malware. Then, the contractor was bombarded with notifications from the hacker via WhatsApp, with the attacker claiming to be from Uber IT. From there, the attacker was able to gain access to the corporate network to gain high-level access. 

Pushing Back Against MFA Fatigue

These attacks take advantage of the fact that users often complete authentication requests without thinking about them. Unfortunately, that undermines the effectiveness of MFA, which means companies need to implement additional protections that include several different strategies and technologies: 

First, there’s a need to train users on how to respond to these incidents. Make sure they know not to accept the notification they did not originate, and they know how to notify IT or security quickly if they suspect they’re under attack.  They should also be instructed to change their passwords as soon as they suspect an attack. 

For Microsoft 365, users can configure default limits for the MFA service to cap the number of push notification attempts within a given time frame. 

You may also be able to configure access rules to prevent authentication from proceeding if a given device, the location of the requests, or other risk levels raise alarm bells. 

Implement Least Privilege Principles

An additional layer of security includes implementing the principle of least privilege (POLP) when it comes to application, file, and data access. Users, services, and applications should only have the permissions needed to perform their work. This can help significantly limit the damage if a specific user or app is compromised since they only have limited access to assets on the network. 

This will require developing a process to define how requests and access approvals are handled. In addition, specific staff should be designated access approvers and trained to determine access limits. There should also be periodic reviews to identify how access is utilized and update privileges based on job function and usage patterns.

Zero Trust Pays Big Benefits

Companies should also implement a Zero Trust strategy – meaning that any device that attempts to access the network (even those within the bounds of the corporate infrastructure) requires authentication as an additional security step on top of the traditional user authentication. According to data from IBM, Zero Trust can reduce the cost of a breach by as much as 42%.

Under Zero Trust frameworks, every device and user must be authenticated and authorized. Otherwise, access is not granted. This nearly eliminates the risk of credential theft since even attackers armed with a username and password that can launch an MFA fatigue attack will not have the ability to verify device status and identity. That shuts down potential unauthorized logins.

Zero Trust solutions can include context-based policies for authentication and authorization that can consist of things like geographic location, time, or device requirements. 

With the right combination of privilege policies, Zero Trust technology, and training, companies can protect themselves against MFA fatigue attacks while shoring up their email and application security against other types of breaches.

Sinan Eren is Vice President, Zero Trust Security at Barracuda.