MFA Fatigue: A Growing Security Concern
The internet has never faced so much existential risk from people who want to harm companies and their users. While many organizations understand that there’s a link between identity and security, few fully grasp how foundational identity is to a modern security strategy. Organizations with gaps in their identity security are significantly more at risk of experiencing a compromise or breach.
If attackers get control of the right identity, they can break into a network, move laterally once inside, facilitate fraud, and extract sensitive data. Not to mention they can compromise a brand’s reputation and customer loyalty overnight.
With the traditional perimeter gone, people are the quickest way to sensitive data and resources. Identity management is about securing people as the most scalable defense we have (not our greatest weakness).
There has been a proliferation of identity-based attacks, which have increasingly become more sophisticated and are designed deliberately to circumvent security controls that are well established.
What is MFA fatigue, and how do adversaries use it for attacks?
Multi-factor authentication (MFA) fatigue (aka MFA Prompt Spamming/MFA bombing) is a technique used by attackers to flood a user’s authentication app with push notifications in the hope they will accept, enabling the attacker to gain entry to an account or device.
This has become a well-known and very real attack vector. Mandiant created the following report about Russian APTs using the MFA Prompt spamming technique.
The gist of this attack is:
- Adversary has already stolen primary username/password credentials by some other means (most commonly phishing);
- Adversary enters the stolen credentials in an attempt to sign in to an account protected by push MFA, and does this multiple times in succession;
- Target gets valid push notifications (normally to a mobile app of some sort) over and over;
- Sometimes the target will also receive a message or email from the attacker posing someone from the helpdesk or IT encouraging them to accept the access attempt.
- Eventually, the target tires of this flood of MFA notifications and taps “yes, it’s me,” instead of “no, it’s not me.”
Given this sequence of events, it's understandable that a user might choose to accept the push under these circumstances. We can provide the guidance to our users that if they receive an endless wave of MFA push notifications, they should not approve the MFA request, and not talk to unknown people claiming to be from their organization. But this isn’t enough. We are still placing a heavy burden on our users, who are just trying to get their jobs done.
The issue here is not user behavior or weak MFA, but a lack of systems that are designed to thwart these kinds of attacks before they gain traction.
How to best leverage MFA, and how has it changed?
When most organizations implemented MFA based authentication mechanisms to defend from identity-based attacks, they did so using low assurance factors, such as secret questions, SMS, voice, or email-based one-time passwords (OTP), relying heavily on the password being a bootstrap or primary authenticator. Subsequently the attack methods of the bad actors have evolved to target authentication factors that are perceived to be secure but are not (SMS-based OTP, for instance). While low-assurance factors still have value, organizations should be taking a risk-based approach to protecting their critical infrastructure through high-assurance factors.
At Okta, we have a defense-in-depth approach to protecting against MFA fatigue attacks that help us balance the need to be productive through fast access to data, with the need to secure our sensitive data. Our approach is both proactive and reactive.
Most of our employees authenticate by default using high-assurance, passwordless auth through Okta FastPass. FastPass uses information from both the device and the user to seamlessly authenticate the user and grant access to data. When employees are unable to use FastPass, we rely on push notifications with a Number Challenge, which is much more difficult for an attacker to duplicate. Okta also limits the services that an employee can access if they have used a lower-assurance factor. This helps to prevent lateral movement by the attacker if the employee is successfully phished.
In the event that an employee is phished, the attacker will want to add new authentication factors that they control, in order to retain access should their session be lost. Here at Okta, we use a platform feature that notifies users when changes to their security methods (their sign-on credentials, including those used for MFA) have been made. This feature ensures users are promptly alerted to any changes on their account, and can immediately report that something may be wrong to their cybersecurity team — if they didn’t make any of those reported changes themselves.
We leverage a “Report Suspicious Activity” button that triggers several events through an Okta Workflow. In addition to alerting the cyber security team with a PagerDuty alert, the flow suspends the user’s account so if it were compromised, the attacker would not be able to continue leveraging it. The Okta Workflow also fires calls to several, critical systems to terminate any application sessions the user may have. This prevents the attacker from using an existing session in apps like Slack or Google Workspace while waiting for the application session duration to expire. Layering these platform capabilities helps keep Okta secure.
How can organizations migrate to MFA best practices?
Based on our observations working with countless engineering and product teams, here are tips for increasing the security of an MFA feature and reducing its susceptibility to MFA fatigue attacks:
1. Mandate enrollment in phishing-resistant authenticators and to set access policies that require them
Recent attacks and breaches have demonstrated the ever-increasing sophistication of phishing and social engineering attacks. This is of such high prevalence that the OMB M-22-09 memo from the US government specifically calls out the use of stronger authentication methods, such as WebAuthn.
SMS, email and voice OTP, secret questions, push notifications are moderately secure authenticators that are less resistant to phishing. Protect high-risk data with phishing-resistant authenticators using FIDO (Fast Identity Online) protocols that leverage public key cryptography, and eliminate the use of shared codes or secrets. By doing so, organizations reduce the ability of attackers to intercept access codes and replay them. Phishing-resistant authenticators also verify the validity of both the source and destination, resulting in limited authentication action that can only occur between the intended site and the user’s device.
2. Go passwordless: Eliminate the reliance on passwords as authenticators
Passwords are essentially shared secrets and are low-assurance factors. Going passwordless with solutions like Okta FastPass can reduce or even eliminate a majority of password-based attacks, including phishing, credential stuffing, etc., and also cut authentication time and deliver a seamless experience.
3. Combine Risk-Based Authentication with your authenticator choice
In addition to enforcing MFA on every login, in some cases you should consider adding Risk-Based Authentication that requires a stronger authenticator for logins to especially sensitive applications. These stronger factors will also help you set a great foundation to eventually go passwordless.