Key Considerations for Alleviating MFA Push Fatigue

Attackers are now trying to gain access to corporate systems by overwhelming employees with push notifications. Here’s how to prevent it from happening.

cso paid 1200x800 photo 02

Security awareness training — combined with the right technologies — have done a great job of alerting employees to the risks of phishing scams and clicking on suspicious links.

But criminals are relentless and brutally crafty. They will continue to target end-users, as people are cheaper and easier to exploit than systems. “Anyone who has been in security long enough recognizes that every time we make a taller wall or a stronger door, someone comes up with a taller ladder or a better battering ram,” says said J. Wolfgang Goerlich, Advisory CISO at Cisco.

Their latest tactic involves creating multifactor authentication (MFA) fatigue. This occurs when the attacker “sends a user multiple push notifications in the hopes that they will click and approve a request — either out of muscle memory, thinking they must have logged into an application, or simply out of hope that they will stop getting these notifications,” says Goerlich.

Neither the individual nor the organization has done anything wrong. Rather, it’s a case of attackers finding new ways to evolve their tactics.

So, how can you protect your organization against these threats?

Accept that we’re only human

First, don’t throw away your MFA solution. It may only need a little tweaking because it’s doing what you want users to do: Authenticate their identity.

“One of the first things an organization can do is evaluate their multifactor solution to reduce how often someone needs to authenticate,” Goerlich advises.

Techniques include setting MFA to only remember a multifactor for a few hours and using single sign-on capabilities. The point is to reduce the overall number of pushes, so when there is a notification, it’s more noticeable.

Security awareness should go together with these modifications. Let users know about MFA fatigue and be accepting when an incident occurs.

“Some employees worry that if they decline or ignore a push notification, they may be penalized,” Goerlich says.

At the same time, encourage users to report when they do fall victim to push fatigue.

“I often say that kindness is the first security control,” Goerlich says. “We need to say: ‘Please report it; we're not going to blame or shame you.’ The more accepting we as security professionals can be, the more comfortable people will be in letting us know when things go wrong.”

Other ways to combat push fatigue

In addition to MFA solution tweaks, organizations should consider these techniques to counter push fatigue:

  • Device trust. Identifying the user is important, and so is identifying the device they’re using. A device authentication solution not only reduces the risks of unauthorized device access, it can also help meet compliance goals by enforcing access policies and monitoring the health of devices.

  • Passwordless. Removing passwords from the login equation reduces the burden on users. Passwordless authentication includes several verification methods including biometrics, security keys, and specialized mobile apps to verify identity.

  • Verified push. With this technique, users must enter a verification code from the device they’re using during login. This helps ensure that only verified individuals can log in and helps prevent someone from accidentally accepting a push notification they didn’t request.

“We need to anticipate that wherever we put a control, it’s not going to stop an adversary, it’s going to delay them and move adversaries to a different spot which may be weaker,” he continues. “Once we determine where the new spot is, it’s incumbent on us to respond and tighten up those controls. And of course, increase awareness of the new attack techniques among our end-users and front-line security professionals.”

For more information, click here.

Copyright © 2023 IDG Communications, Inc.