Combatting MFA Bombing
- Written by: Ben Hall - Practice Manager, GRC
Multi-Factor Authentication (MFA) is one of the most powerful tools you can use to secure your accounts. By requiring multiple forms of verification, MFA adds an extra layer of protection that significantly reduces the risk of unauthorized access.
However, attackers have found a way to exploit this security measure through a tactic known as MFA bombing. They use this method to overwhelm users with authentication requests, hoping to sneak past defenses.
Recognizing legitimate MFA requests is critical to maintaining your security and preventing unauthorized access.
MFA Bombing Definition
MFA bombing—also known as MFA prompt bombing or MFA fatigue attacks—occurs when an attacker, having obtained a user's login credentials, repeatedly triggers MFA notifications on the user's device.
The goal? To exhaust or confuse the user into eventually approving one of the requests and then allowing the attacker access to the account. This method takes advantage of the user’s annoyance of being inundated with approval requests, becoming desensitized to those alerts, and finally mistakenly approving a fraudulent request.
The Psychology Behind MFA Bombing
To understand why MFA bombing is effective, we should take a look into the psychology behind it:
- Decision Fatigue: Our ability to make sound decisions diminishes as we make more of them throughout the day. Semi-related, the best decisions are usually made before 1 p.m. Constant MFA prompts can wear down our decision-making, leading to mistakes.
- Habituation: Over time, repeated demands (like frequent MFA prompts) can lead to desensitization. Users might start ignoring or mindlessly approving notifications.
- The Paradox of Choice: Too many authentication options or frequent prompts can overwhelm users, causing them to make suboptimal security choices.
So How Do We Recognize Legitimate MFA Requests?
Spotting legitimate MFA requests amidst potential attacks requires vigilance and awareness. The things you need to pay attention to when an MFA request comes your way are:
- Frequency of Requests
- Legitimate: Usually occurs when you initiate a login or sensitive action.
- Suspicious: Multiple requests in quick succession without any login attempts.
- Timing and Context
- Legitimate: Aligns with your login attempts or known activity.
- Suspicious: Appears at odd times or when you’re not actively using your account.
- Location and Device Recognition
- Legitimate: Matches your known devices and locations.
- Suspicious: Requests from unknown locations or devices.
- Email and App Notifications
- Legitimate: Accompanied by corresponding alerts from your security apps or services.
- Suspicious: No additional context or alerting information from your security tools.
- Details in the Request
- Legitimate: Details about the login attempt, such as IP Address, device type, and service name are included
- Suspicious: Limited or no additional details are included in the request.
As you can hopefully see, there’s a common theme with legitimate MFA alerts—they’re caused by you. Let’s just put it this way: if you didn’t make the request, don’t approve it.
Steps to Defend Against MFA Bombing
- Strong Password Hygiene: Passwords should not be obvious or common—no more 123456789, please—and not reused from any other accounts. If you do receive an unexpected MFA prompt, assume your password has been compromised and take the necessary steps to change it.
- Educate and Train Users: Make sure your users understand the signs of MFA bombing and the importance of vigilance when approving MFA requests.
- Consider Adaptive MFA: Adaptive MFA solutions consider user’s behavior, location, and device patterns, reducing unnecessary prompts.
- Enable Login Alerts: Set up alerts for any suspicious login attempts or unusual MFA requests to help identify and respond to potential attacks quickly.
- Regular Security Audits: Conduct frequent security audits to ensure all MFA systems are configured correctly and are not susceptible to common attack vectors.
Beat MFA Bombing and Stay Secure
MFA is an incredible tool for enhancing your security, providing a strong barrier against unauthorized access. And even though attackers will always look for ways to exploit security measures, by staying vigilant and recognizing legitimate MFA requests, you can foil these attempts and keep your accounts secure.
Remember, MFA works best when you are cautious about approving alerts.
For any MFA questions or for more information on security awareness training for your organization, reach out to HBS.