MFA Push Notifications considered harmful?
The title of this post is a playful take on Dijkstra’s classic "Go To" ACM article from the 1960s, but I think it may also prove to be accurate. With Uber becoming the most recent high-profile case leveraging a multi-factor authentication (MFA) fatigue attack, it has convinced me that my early infatuation with MFA push notifications was an unhealthy crush.
While MFA is a critical security control for creating a defense-in-depth authentication solution, MFA push notifications may pose a real danger via notification fatigue.
Multi-factor Authentication
MFA uses additional factors beyond the traditional username and password (a single-factor solution) to increase security. While a username and password provide some assurance of a user’s identity, passwords can be weak, lost, reused, or stolen. MFA layers on additional authentication factors are often categorized as:
Something you have
Something you know
Something you are
With MFA, users often provide a digital token or code provided by a secondary device the user physically possesses to gain access to their account. In the event of credential compromise, MFA adds an additional level of protection to your accounts to prevent a threat actor from accessing your sensitive information.
Undoubtedly, MFA is a big improvement and greatly increases the difficulty for threat actors who may buy credentials from a data breach and then use them to gain access to other accounts. With MFA, even if the threat actor has your credentials (something you know) they still have to bypass one or more additional MFA steps (something else you have/are). But while MFA helps improve security posture, users may still find the additional steps cumbersome.
Enter push notifications
My favorite thing about MFA push notifications has always been the reduced friction. I remember how pleased I was when I was able to configure push notifications on my phone. The company I worked at had a pretty questionable single sign-on implementation that I may have referred to as "every sign-on" due to the frequency with which I had to re-authenticate throughout the day.
Between the long and complex password entry, digging out my phone, unlocking it, opening the MFA app, finding the right account, ensuring the time wasn't nearly expired, and typing many digits into the form — over time this security tax became noticeably annoying.
Push notifications significantly reduce friction by allowing the user to acknowledge with a single gesture. If you look at the above list of steps, with push notifications you don’t need to unlock the phone, open an app, worry about timeouts for the code, or type anything into a form. And with smartwatch integration, you don’t even need to take out your phone at all. I'll be honest, this was a killer feature for me and the biggest reason I bought my first Apple Watch many years ago.
It’s not just for APTs anymore
An early indicator of the problem with MFA push notifications came in Mandiant's report about Russian attacks against government and business entities where they called this technique "Abuse of Repeated MFA Push Notifications." GoSecure Titan Labs followed up with a post detailing the use of MFA fatigue attacks against Office365 and offering advice on how to detect and mitigate them.
With Uber attributing their breach to LAPSUS$, an unconventional threat actor group responsible for numerous high-profile attacks in the past two years, it's fair to say that MFA fatigue has made it to the mainstream toolbox. While MFA has improved security for companies that adopt it, attackers have shown that they can exploit human fatigue to bypass MFA when push is enabled as an authentication mechanism.
One of these things is not like the others
There are many additional factors to choose from when implementing MFA such as biometrics, FIDO/FIDO2 U2F devices, etc. But fundamentally, the promise of MFA is that it validates additional authentication attributes: something else you know, something else you have, or something else you are.
Given the ease with which MFA push notifications can be abused via fatigue, it’s no longer clear to me that a positive MFA push response proves that the user authenticating actually has the device in question. While there are many ways to try to mitigate these attacks, in my opinion, the best choice is to disable MFA push notifications entirely.
If you want to address user friction, consider other secondary factors. For example, a biometric response such as a fingerprint reader on a phone or laptop, or a FIDO2 security key can save steps while ensuring that a bleary-eyed employee doesn’t accidentally give away the keys to the kingdom.
Take Control of your risk
Whether you are accounting for the human element or digital risks, exposure is inevitable in our digital economy. Understanding your organization’s risk is critical.
Anyone (yes, anyone!) can tap into our industry-leading cyber risk management platform, Coalition Control. Sign up and try it out for your organization now to better understand your potential digital risks.