HBS logo
Contact Us

Combatting MFA Bombing

  • Written by: Ben Hall - Practice Manager, GRC
The text "MFA Bombing Beating Back the Bad Guys" on a white and grey textured background.

Multi-Factor Authentication (MFA) is one of the most powerful tools you can use to secure your accounts. By requiring multiple forms of verification, MFA adds an extra layer of protection that significantly reduces the risk of unauthorized access.

However, attackers have found a way to exploit this security measure through a tactic known as MFA bombing. They use this method to overwhelm users with authentication requests, hoping to sneak past defenses.

Recognizing legitimate MFA requests is critical to maintaining your security and preventing unauthorized access.

MFA Bombing Definition

MFA bombing—also known as MFA prompt bombing or MFA fatigue attacks—occurs when an attacker, having obtained a user's login credentials, repeatedly triggers MFA notifications on the user's device.

The goal? To exhaust or confuse the user into eventually approving one of the requests and then allowing the attacker access to the account. This method takes advantage of the user’s annoyance of being inundated with approval requests, becoming desensitized to those alerts, and finally mistakenly approving a fraudulent request.

Recently, cybercriminals targeted Apple iPhone users with an MFA bombing attack. The bad actors relentlessly sent a series of legitimate password-reset notification alerts in an attempt to take over iCloud accounts.

The Psychology Behind MFA Bombing

To understand why MFA bombing is effective, we should take a look into the psychology behind it:

  1. Decision Fatigue: Our ability to make sound decisions diminishes as we make more of them throughout the day. Semi-related, the best decisions are usually made before 1 p.m. Constant MFA prompts can wear down our decision-making, leading to mistakes.
  2. Habituation: Over time, repeated demands (like frequent MFA prompts) can lead to desensitization. Users might start ignoring or mindlessly approving notifications.
  3. The Paradox of Choice: Too many authentication options or frequent prompts can overwhelm users, causing them to make suboptimal security choices.

A graphic of two sets of hands holding separate cell phones. The phone on the right has a green check mark to indicate an approved MFA prompt, and the phone on the right features a red 'x' to indicate a denied MFA prompt.

So How Do We Recognize Legitimate MFA Requests?

Spotting legitimate MFA requests amidst potential attacks requires vigilance and awareness. The things you need to pay attention to when an MFA request comes your way are:

  1. Frequency of Requests
    • Legitimate: Usually occurs when you initiate a login or sensitive action.
    • Suspicious: Multiple requests in quick succession without any login attempts.
  1. Timing and Context
    • Legitimate: Aligns with your login attempts or known activity.
    • Suspicious: Appears at odd times or when you’re not actively using your account.
  1. Location and Device Recognition
    • Legitimate: Matches your known devices and locations.
    • Suspicious: Requests from unknown locations or devices.
  1. Email and App Notifications
    • Legitimate: Accompanied by corresponding alerts from your security apps or services.
    • Suspicious: No additional context or alerting information from your security tools.
  2. Details in the Request
    • Legitimate: Details about the login attempt, such as IP Address, device type, and service name are included
    • Suspicious: Limited or no additional details are included in the request.

As you can hopefully see, there’s a common theme with legitimate MFA alerts—they’re caused by you. Let’s just put it this way: if you didn’t make the request, don’t approve it.

Steps to Defend Against MFA Bombing

Five steps to combat MFA Bombing: 1. Strong Password Hygiene 2. Educate & Train Users 3. Consider Adaptive MFA 4. Enable Login Alerts 5. Regular Security Audits

  1. Strong Password Hygiene: Passwords should not be obvious or common—no more 123456789, please—and not reused from any other accounts. If you do receive an unexpected MFA prompt, assume your password has been compromised and take the necessary steps to change it.
  2. Educate and Train Users: Make sure your users understand the signs of MFA bombing and the importance of vigilance when approving MFA requests.
  3. Consider Adaptive MFA: Adaptive MFA solutions consider user’s behavior, location, and device patterns, reducing unnecessary prompts.
  4. Enable Login Alerts: Set up alerts for any suspicious login attempts or unusual MFA requests to help identify and respond to potential attacks quickly.
  5. Regular Security Audits: Conduct frequent security audits to ensure all MFA systems are configured correctly and are not susceptible to common attack vectors.

Beat MFA Bombing and Stay Secure

MFA is an incredible tool for enhancing your security, providing a strong barrier against unauthorized access. And even though attackers will always look for ways to exploit security measures, by staying vigilant and recognizing legitimate MFA requests, you can foil these attempts and keep your accounts secure.

Remember, MFA works best when you are cautious about approving alerts.

For any MFA questions or for more information on security awareness training for your organization, reach out to HBS.

Connect:

[email protected]  |  800.236.7914

HBS logo

HQ | 1700 Stephen Street
Little Chute, WI 54140
Locations

HBS Remote Support | Service & Technical Support
Terms & Conditions PDF | Privacy Policy | Onboarding Form | End User Agreements
©2024 Heartland Business Systems. All rights reserved.