‘MFA fatigue’ pushes momentum for more secure factors

Taking a page from little kids who want ice cream really bad, hackers are wearing down their targets with relentless requests. “MFA fatigue” attacks, like the one used to pester an Uber employee enough to approve login attempts, demonstrate a weakness in the traditional push notification.

The success of the tactic against multi-factor authentication (MFA)—a favorite safeguard among IT pros—has led some to accept, accept, accept a new class of additional factors.

“Is MFA broken? Absolutely not. Is MFA a really good way to protect your account? Absolutely. Is push notification the way we want to do MFA? No,” said Lance Spitzner, senior instructor at the SANS Institute.

I’m tired, what’s MFA fatigue? MFA fatigue begins when a cyber attacker finds a password, logs in as the compromised user, and then activates push notifications to the individual’s second factor: the phone.

Tools like Microsoft Authenticator, for example, send “approve” or “deny” notifications to a device after password entry. MFA fatiguers send request after request, hoping a tired target gives in and gives the green light.

“What Microsoft did was [try] to make it as simple as possible. They made it too simple,” said Spitzner. “That’s what bad guys are taking advantage of.”

Microsoft recently announced that its more secure notification option, or at least one that requires more than an accidental approval click—number matching—will soon be enabled by default.

Uber exhausted. Compromised passwords allow attackers to pose as trusted users—an obvious security threat that could lead to data loss, depending on access levels.

In September, a hacker first stole an Uber employee’s password, then triggered push notifications to the individual. The target initially denied the logins, so the hacker reportedly then messaged them on WhatsApp, posing as an IT worker who needed access. (That worked.)

With multi-factor authentication, a quick click can easily be made in error. Ideal MFA, according to Terry Jost, managing director at Protiviti, takes a longer, more secure route on the road of authentication.

“I think there’s multi-factor, and then there’s a strong multi-factor authentication. And a strong multi-factor authentication typically includes a completely separate path for the second method of authentication,” said Jost, noting the importance of an out-of-band factor, like a separate phone call.

Looking ahead. In May, Apple, Google, and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The goal: websites and apps that offer passwordless sign-ins to consumers across devices and platforms.

Apple passkeys, a strong multi-factor option, according to Spitzner, and one available in September’s iOS 16 update, is stored on a device and activated by face recognition or touch—to prove you are who you are.

“Now, websites have to adopt the standard for it to work. So, there is something on the horizon, but it’s gonna take a while,” said Spitzner.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.