CultureAI use cookies to improve your experience on our site. Find out more by reading our Privacy Policy.
I Accept
How to stop employees from accepting unsolicited MFA requests

How to stop employees from accepting unsolicited MFA requests

Responding to human risk
Max Kurton, CultureAI
By Max Kurton
10th Nov 2022

Source of the MFA request

To access a resource like an application, an online account, or a VPN, the user must submit two or more verification factors, known as multi-factor authentication (MFA). A strong identity and access management (IAM) policy must include MFA as a fundamental element. MFA demands one or more verification elements in addition to a username and password, which lessens the possibility of a successful cyberattack. MFA spamming is a human factor-based attack technique that began to threaten two-step authentication, showing that not all MFA implementations are safe.

What's wrong with this? If you are receiving MFA push notifications that you did not activate, It usually indicates that the hacker already has your password. You have given the hacker access to your account by accepting the MFA prompt. Change your password immediately if you ever receive an MFA request you don't recognise. 

Hackers are aware of this. Therefore their new strategy is to exploit people's fatigue with MFA and repeatedly spam the user with push notifications for MFA verification in the hopes that they will accept it since they believe it to be from a reliable source. All it takes is one verification to let them in.

Recent investigations have shown a significant increase in attacks that leverage push notification spamming. Many MFA users are not familiar with this type of attack and would not understand the fraudulent MFA request. When the message appears during work, what is the chance, after multiple MFA valid requests, that the users will accept them?

MFA fatigue attacks: What are they?

The goal of MFA fatigue is to continually bombard the user with push notifications for MFA verification in the hopes that they would accept them because they believe they are coming from a reliable source. As a result, they can access the victim's account or the company's network. 

Fatigue refers to being worn out by anything. The attacker floods the user with MFA push notifications until the victim is finally overwhelmed and agrees to the requests. Do you want to know how these attacks are conducted? Let's now examine the details of how this MFA prompt bombing assault functions.

How is MFA spamming conducted?

•Initially, the hacker uses password-spraying, phishing, or brute-force attacks to access the user's account. In particular, push approvals.

•The attacker begins sending the user constant push alerts once they have access to the credentials. The attacker would bombard users with MFA requests until someone accepts. Since they did not make the request, the user often declines it. 

•However, the hacker keeps bombarding the victims with several push notifications, causing the system to repeatedly ask for a login until the user accepts the MFA request. 

•After receiving many MFA requests, the hope is that the victim is not paying attention or is already signing in to an MFA-secured service and clicks accept without realising it.

•All done! The attacker eventually accessed the victim's account. MFA spamming is complete.

How to prevent MFA fatigue?

There are numerous ways to stop these kinds of assaults.

• Utilise the default MFA service limits.

• Make use of MFA Additional Contexts and Number Matching.

Use Number Matching and MFA Additional Contexts - There are several ways to secure an MFA push notification system. As follows: 

• The name of the program the user attempts to sign in to is displayed in the push and passwordless notifications.

• Display geographic location in the push and password-free notifications - Indicates the request's source.

• Push notification with number matching.

Attacks are reduced to near impossible since the hacker cannot enter the number and authorisation. This reduces these attacks. The most frequently advised strategy for defending users against MFA fatigue attacks also challenges attackers because both parties must confirm the code.

How can users spot multiple push notification attacks?

Many cloud-based services, such as AWS or Microsoft's Office 365 package, offer MFA options. Office 365's default authentication method is Azure Active Directory (AD). There are also certain restrictions. For the additional authentication method that users can use, you only have four basic choices: Microsoft Authenticator, SMS, Voice, and Oauth Token. Depending on the options you want access to, and if you wish to restrict precisely which users will need to utilise MFA, you might also need to spend more on licensing. 

When it comes to authentication factors, Identity as a Service (IDaaS) solutions like OneLogin offer a lot more MFA authentication techniques, and they interact with external applications more efficiently.

There is no easy way to track down MFA Fatigue attack occurrences. However, you can receive a hint about these shady MFA bombing assaults from the Azure Active Directory logs.

View Monitoring tab -> Sign-in logs in Azure AD. This provides summary reports on user sign-ins, including successful and unsuccessful attempts. 

Direct detection of assaults is not possible via Azure AD sign-in analytics reports. It would help if you looked at all unsuccessful cases and the likelihood of an assault. Here, only the attack's probability—not its possibility—is provided. Azure sign-in reports typically only include successful and failed sign-ins. The reports don't offer a more thorough justification. Additionally, few filtering options are available, and the sign-in totals are not provided.

Instead of looking everywhere and wasting time, what if there was a better approach to helping your employees understand the risks of unsolicited MFA requests and stopping them at their source?

Speak to us today

Learn how CultureAI's platform can help prevent accepting unsolicited MFA requests.