Protecting Users from MFA Fatigue Attacks
What Is an MFA Fatigue Attack?
A multi-factor authentication (MFA) fatigue attack, also known as MFA bombing or MFA spamming has become more prevalent with increasing adoption of strong authentication. MFA is a type of social engineering cyberattack where the attacker repeatedly sends MFA requests to the victim’s email, phone, or other registered devices. Anytime users are doing “click to approve” or “enter your PIN to approve” instead of entering a code they see on-screen, they are doing simple approvals. The goal of this attack is to coerce the victim into confirming their identity via notification, which would authenticate the attacker’s attempt to access the victim’s account or device.
Microsoft studies show that about 1% of users will accept a simple approval request on the first try. That’s why it’s critical to ensure that users must enter information from the login screen and that they have more context and protection, they are on the rise – with push notifications, voice approvals, and SMS as the top culprits.
ITM is recommended that customers, the admins of the IT system at the customer, need to:
- Perform procedures according to Microsoft guidelines and recommendations. Strict management is responsible for all access to the enterprise IT environment, ensuring.
- Protect and prevent risks at the highest level
Here are a few instructions ITM sends to your business:
- Prevent good users from accidentally approving sign-ins
Number matching (with the “type the code” experience) prevents accidental approval by requiring the user to type in a two-digit code from the login screen to their Authenticator app. If the user didn’t initiate the sign-in, they won’t know the two-digit code, thereby requiring the bad actor to share the two-digit code in a separate channel, which the user shouldn’t accept. Number matching has been in public preview for MFA since November 2021, and almost 10K enterprises are already using it daily. It is also the default experience for passwordless phone sign-ins using Microsoft Authenticator.
Note: Number matching will be automatically enabled for all users of the Microsoft Authenticator soon after GA.
2. Help users make good decisions by providing them with more context
Additional context displays additional information in the push notifications sent to your users. This includes the location (IP-based) the sign-in is coming from and the app the user is trying to access. The context helps the user understand the origin of the sign-in and thereby reduces the chances of accidental approval. Additional context has been available in public preview since November 2021 and will soon be GA for both MFA and pass wordless flows.
3. Still migrating to the Authenticator? Automatically change the passwords of your at-risk users
You may have users who are still migrating away from simple MFA approval mechanisms. Protect these users by automating password changes for at-risk users. If a user with simple MFA approvals enabled is getting repeated MFA requests, that means the bad actor has the user’s correct password. If a bad actor attempts a risky sign-in (e.g., from an unfamiliar location) and fails to get the approval on the MFA push notification, the user risk level is automatically elevated to the risk level of the risky sign-in. You can review at-risk users in the Azure AD Risky users report and leverage this user risk to automatically change the passwords for such users. A change of password by the user remediates the user risk and stops the bad actor from sending any more MFA requests.
4. Important things to know
You won’t have to do the second step very often. Some people worry that multifactor authentication is going to be really inconvenient, but generally it’s only used the first time you sign into an app or device, or the first time you sign in after changing your password. After that you’ll just need your primary factor, usually a password, like you do now.
The extra security comes from the fact that somebody trying to break into your account is probably not using your device, so they’ll need to have that second factor to get in.
Multifactor authentication is not just for work or school. Almost every online service from your bank, to your personal email, to your social media accounts supports adding a second step of authentication and you should go into the account settings for those services and turn that on.
And your security is paramount to us, and, thus, we strongly recommend that you enable these capabilities at the earliest. To avoid issues related to MFA and get timely assistance with security issues, please contact ITM today.
