Multi-factor authentication (MFA) is the single most important protection we can add to a username and password combination. We should not underestimate that protection. Unfortunately, everything has its weakness, and MFA has what the industry refers to as MFA Fatigue.
What is MFA Fatigue?
MFA push notifications fix the hassle of entering the MFA code. By simply pushing a prompt on your mobile phone you can accept or deny the request. The user simply pushes accept to complete the authentication process. But we cannot assume our passwords are secure. We should instead assume that all our passwords are available on the dark web. When a user account is compromised or the password is exposed on the dark web and the attacker attempts to authenticate, the user gets the MFA prompt. When the attacker continues the attempt to log in with the known password, the user continues to get the MFA push notifications. When those notifications repeatedly come for an hour or more, that is MFA Fatigue.
Push Notifications versus Token
One option might be to simply avoid the push notification and require users to enter the MFA code. This does avoid the issue of MFA fatigue but also avoids the convenience of the MFA push notification. This is an option, and it’s an option we seriously consider.
Why Should We Be Concerned About MFA Fatigue?
Should we trust that all users will know whether a random MFA push notification at 2:00 pm is from their known device or will they always click approve? This question is the source of concern when it comes to MFA fatigue and push notifications.
What Access is Possible?
Assuming the company is using Office 365 and SharePoint, MFA fatigue would lead to the attacker at least gaining access to that user’s emails, contacts, calendars, and all the SharePoint data they have access to. If they are an administrator, then the attacker could add users, change and remove access for the entire company, and even encrypt all the data within Office 365. Those are fairly serious consequences without even contemplating the idea that the situation could be considered a data breach.
Password Security and the Dark Web
One important item to consider in this discussion is password security. We assume our passwords are secure and not “leaked”. That’s not the case. Account passwords are leaked every day. We should assume our passwords are available on the dark web and that anyone could purchase our information. MFA is the only protection we have against attackers accessing our data.
How to Respond to an MFA Push Notification
If a user receives a push notification on their mobile device and is not actively trying to authenticate, the best option is to deny the action. In that case, Outlook will prompt the user for the password or MFA prompt. The same with an email account on a mobile phone. Eventually, the phone will reauthenticate and the MFA push notification will return, but it will return at the time the user is trying to authenticate. That is a good time to approve the request.
Where Have MFA Fatigue Attacks Been Successful?
None of these concerns are valid unless MFA has actually led to a compromise. Below are some examples of how MFA fatigue has been used in the wild.
Uber Late 2022
In Q4 of 2022, an attacker discovered a compromised account and attempted to authenticate into the Uber network. Of course, the user had MFA, so the user received the push notification and most likely denied or at least ignored it. The attacker continued and eventually even contacted the user over WhatsApp. They told the user that they were from “IT Support” and that the user should accept the prompt to make the notifications stop. This attack eventually led to a significant compromise of Uber involving email, slack, and multiple other systems.
In March 2022, the group Lapsus$ used a compromised password to gain access. In August 2022, Yanluowang Group gained access to a Cisco user’s Box account through MFA fatigue. Lapsus$ also breached a software company, Globant, and stole data. Globant services Google, Disney, and EA (https://www.avertium.com/resources/threat-reports/mfa-breaches-and-mfa-fatigue).
MFA Definition Review
CISA defines MFA as the following:
- Something you know: like a password or Personal Identification Number (PIN)
- Something you have: like a smart card, mobile token, or hardware token
- Some form of biometric factor: like a fingerprint, palm print, or voice recognition
The third option is up for debate and could easily be referred to as “something you don’t know.” This is where the code or a double confirmation can be used. So a password, a push notification, and a code are good options.
What Direction is MFA Moving?
Duo improves security using multiple methods, but the Duo push notification combined with a passcode confirms the user is actually involved with the authentication process by requiring interaction with them between the application and the mobile app (Duo Verified Push) (https://guide.duo.com/universal-prompt).
Below is a screenshot of a typical Duo push notification. When the user clicks “Send me a Push” their mobile app prompts an accept or deny. This is vulnerable to MFA fatigue.
Duo Verified Push combines the notification above with a 3-6 digit code that is displayed on the screen and entered in the mobile app. Following the notion of something you have and something you don’t know, this method completes the process and protects the user from MFA fatigue. In the case of an account compromise with an attacker trying to authenticate the real user, the attacker doesn’t have the code required to complete the process.
The example above is Duo, but we expect Microsoft to follow this concept sometime soon.
Consider all accounts and whether these accounts have MFA requirements preventing unauthorized access. Every last account that users have should maintain MFA to protect the data behind that account. Accounts are used by attackers to move laterally and to gain access to other systems. Consider this thought when securing accounts and enforcing MFA for your organization.
If you or your organization is suffering from MFA fatigue, contact Run Networks today and find out how we can help improve your security posture.