MFA prompt bombing: How it works and how to stop it
User credentials are golden prizes for attackers. Weak or breached credentials provide an easy target for attackers looking to log in to a network instead of breaking in. Most businesses have caught on to the fact that multi-factor authentication (MFA) should be required for accessing business-critical resources. As a result, attackers are forced into using ‘MFA prompt bombing’ as an effective counterattack against this added layer of security.
What is MFA prompt bombing?
Hackers know that MFA presents a significant barrier to compromising a user account. Without MFA, a simple phishing email can be enough to steal credentials and progress an attack from there. Login details on their own aren’t enough with MFA enabled, as an attacker needs the employee to take further action. This usually involves an action on a separate device only the employee has access to: accepting a push notification on another phone, entering a time-sensitive code from an authenticator app, or using biometric authentication.
In an MFA bombing attack, cybercriminals send a barrage of MFA prompts to a victim’s mobile device to fatigue or annoy them into authenticating the log-in attempt. If someone receives hundreds of messages in a row, they may authenticate simply to stop the barrage of annoying notifications, hence why it’s sometimes call ‘MFA fatigue attacking.’ On the face of it, MFA prompt bombing might seem like an unsophisticated attack method, but simple tactics that exploit human behavior are often the most effective. As the following example shows, MFA fatigue has a real impact on people.
2022 Uber hack
Last year, Uber suffered a serious breach after attackers were able to compromise a contractor’s account. The company believes the attacker was able to purchase the contractor’s corporate login details on the dark web after they had been exposed in a previous data breach. Uber said that the attacker, affiliated with known cybercrime group Lapsus$, bombarded the contractor with MFA push notifications until he accepted one of the requests. This goes to show how a simple MFA fatigue attack can be once a password has already been compromised.
How to protect against MFA prompt bombing
MFA isn’t bulletproof – no single layer of security is. It’s still useful, but we have to be wary of the ways around it. Let’s take a look at a couple of ways that businesses can protect against MFA prompt bombing:
- Risk-based authentication
- Implementing more effective password policies
Risk-based authentication mechanisms are one way to help bolster MFA and lower the risk of MFA prompt bombing and MFA fatigue attacks. With risk-based authentication, applications look at signals contained in the login request to understand if there are anomalies. Anomalies may be characteristics of the login session, such as the geographic location of the request, the time of day, or the number of login attempts from different locations. The identity and access management system can then notify the user for further verification, or the account may be disabled altogether.
Microsoft’s conditional access policies found in Azure Active Directory are a great example of risk-based authentication. Conditional access policies use risk-based signals to determine if login requests are malicious and can then perform specific actions. These include forcing users to change their password or locking the account until an administrator performs manual steps to reactivate it.
While risk-based authentication adds the ability to help identify and remediate malicious login requests, it requires organizations to be integrated with Azure Active Directory or another service that provides access to risk-based authentication.
More effective password policies
When an attacker can trigger MFA prompts for the user, that means the password has already been compromised. Attackers may have successfully brute-forced user passwords or even obtained passwords from breached password lists of previously breached accounts.
Establishing more secure password policies helps users to create unique passwords or passphrases that haven’t been breached or compromised. The problem for many companies using traditional on-premises Active Directory Domain Services environments is they lack the native tools needed to create effective modern password policies and protect against breached passwords and other risky password types.
It only offers basic password policy controls for organizations to create password policies for users in their environment. For example, as you can see below, the controls found in Active Directory (even as of Windows Server 2022) are minimal:
The password policy settings do not protect organizations from the following:
- Incremental passwords
- Context-based passwords
- Reused passwords
- Multiple users with the same password
- Breached passwords
Since attackers can often easily guess or crack passwords that may meet the password policy settings defined in typical Group Policies found in many organizations, it’s often the first step towards MFA prompt bombing.
Stop MFA prompt bombing at step one with Specops Password Policy
The best way to stop these attacks is to stop passwords being compromised in the first place. Specops Password Policy allows businesses to significantly bolster the quality, strength, and uniqueness of passwords used across an organization’s user base. In addition, it helps to prevent attackers from getting past the first step of breaching a user’s password, further protecting organizations against the potential for MFA bombing.
Learn more about Specops Password Policy and sign up for a free trial here.
Protect employees during MFA bombing attacks with Specops uReset
As we noted above, once an attacker is able to MFA bomb a user, the password on the user’s account has already been compromised. Therefore, being MFA bombed should lead to users immediately resetting their password.
Unfortunately, not every organization has an easy way for users to reset their passwords, meaning many end up ignoring the need for password reset or calling the help desk. This is especially true in remote work situations
Specops uReset can greatly lower the frequency of helpdesk call by providing password reset options for remote and in-office users. Through MFA offered via Duo Security, Okta, PingID, and a biometric option, users are able to complete their password reset even if one of the authentication factors isn’t available (such as if the user does not have a cell phone). With uReset, all of this can happen without a help desk staff member’s help. Users can complete their password reset on their own, from wherever they are, at any time.
MFA prompt bombing works best when a second authentication can be given via a single push notification to a mobile device alone. This is technically two-factor authentication (2FA) as ‘true MFA’ would require at least one more factor. uReset offers integration with 15+ identity providers, including fatigue-resistant options like Yubikey hardware tokens or OTP apps that don’t send push notifications.
MFA prompt bombing FAQs
MFA prompt bombing is the repeated spamming of MFA prompts from attackers looking to cause a user to accidentally or unknowingly allow one of the prompts. It only takes one wrong selection from a user to enable attackers to access a compromised account. This new technique allows attackers to circumvent the extra security layer of MFA authentication.
Multi-factor (MFA) authentication requires multiple “factors” to be presented by a user logging in to validate their identity. For example, it commonly combines a password with a smartphone OTP (one-time passcode) app or text message to validate the identity, known as two-factor authentication (2FA).
Good security hygiene and best practices are important. Organizations can also implement solutions like risk-based authentication that looks at security signals to make determinations about a user login request to determine if these are malicious or legitimate. In addition, bolstering password policies to strengthen passwords makes it much more difficult for an attacker to get past this first factor of information (the password) to launch the MFA prompt bombing attack.
(Last updated on June 22, 2023)