Securing Push Notifications From MFA Fatigue Attacks
By François Amigorena, IS Decisions
Multi-factor authentication (MFA) has long been recommended as the most effective way for organizations to reduce the risks that arise from password compromise.
Correctly implemented, attackers find it anything from inconvenient to impossible to bypass. With MFA, it can seem as if the many well-documented vulnerabilities inherent to password security suddenly disappear.
In fact, this is a half-truth. MFA is a series of distinct technologies based on similar principles, but which vary from one another in their security and ease of use. Any one of them is markedly better than no MFA but that does not mean they are all equally secure under real-world conditions.
Cybercriminals are always trying to find ways to beat MFA, something they’ve been doing with increasing success. For example, sending one-time passwords (OTPs) via SMS is no longer seen as reliably secure, and even smartphone authentication apps have proved vulnerable under some circumstances.
Recently, attackers have started attacking another popular MFA technology: push notifications.
The Anatomy Of An MFA Fatigue Attack
Push notifications work by asking users to confirm a login is genuine by sending a single tap yes/no notification to their smartphone. The principle is simple – if the access is malicious the genuine user will refuse the request.
Unfortunately, attackers spotted a weakness. After logging in using stolen credentials, all they need to do to bypass the MFA layer is somehow persuade the genuine user to tap ‘yes’. In the event, most users are suspicious and refuse unexpected requests. However, a tiny number – perhaps 1% Microsoft reckons – will approve it the first time. A slightly higher percentage will simply ignore it. In the latter case, the attackers try again and again, spamming the user in the hope they will eventually accept the request without studying it closely.
Called MFA fatigue, since 2021 this technique features in a growing number of incidents impacting companies such as Uber, Cisco, and Microsoft 365 users. The attackers also have added additional layers to the MFA fatigue’s social engineering MO. For example, some pose as IT support people and phone up targeted users to persuade them to accept a push notification.
Can MFA Fatigue Attacks Be Stopped?
A closer look at these incidents reveals that the underlying weakness wasn’t push notification but the weak way it had been implemented. These issues can be addressed in a variety of ways:
- By limiting the number of push notifications that can be sent. This is simple to implement and can be effective, but of course doesn’t remove the possibility that the attacker will resort to backup forms of social engineering, such as social engineering the target using a phone call.
- By using number matching to send a request to the registered user’s smartphone asking them to enter a code from the login screen. The attacker can see this but the real user (who didn’t initiate the login) can’t. Microsoft is implementing this feature in its Authenticator app.
- Adding information to the push notification such as geographical location, device type, and time to make rogue requests easier to spot. This feature is included in the UserLock 12 beta.
- Migrating privileged users to a more secure technology such as FIDO U2F hardware tokens, retaining push notification for standard users.
- Educating users so they can identify MFA fatigue attacks, asking them to be suspicious of repeat authentication requests. This sounds incredibly basic, but a major component of successful MFA fatigue attacks is ignorance of their existence.
- Investigating refused push notifications, giving users a way to report rogue requests (refused push notifications could be evidence of compromised credentials).
As with any form of MFA, push notification authentication is always about balancing security with ease of use. If too many checks are added to make push notification harder to bypass, this risks creating extra workload for the user. Where does the balance lie? The answer depends on the type of user. For example, push notification might not be suitable for privileged users but acceptable for everyone else.
Implementing Secure Push
As the list of mitigations makes clear, push notification remains a secure and easy-to-use form of authentication as long as its weaknesses are carefully addressed.
For extra security, it’s helpful when push notifications display additional details, such as the geographical location of the authentication request, the device it was requested from, and the time of the request. If a user refuses a push notification request as bogus, they are prompted to change their password immediately and contact the network administrator.
Use Better Push
Push notification has flourished because it is incredibly easy to use. The user simply agrees or disagrees that an authentication request is genuine with a single tap. But it is that very simplicity and speed attackers realized could be exploited to socially engineer users with a barrage of rogue requests.
This mirrors the way other forms of MFA such as OTPs sent via SMS have been undermined by bypass attacks. In fact, while MFA is always better than no MFA, no type of MFA should be seen as completely immune from the possibility of bypass.
The good news is that, unlike SMS OTPs, push notification attacks can be addressed by implementing more granular controls such as rate limiting, adding extra information to notifications, and educating users to be wary of notification spam.
About The Author
François Amigorena is the founder and CEO of IS Decisions, a global software company specializing in access management and MFA for Microsoft Windows and Active Directory environments. After a career at IBM and a subsidiary of la Société Générale, Francois became an entrepreneur in 1989 and has never looked back.