MFA Prompt Bombing: Hacking Technique Preys On Distracted Users

June 13, 2022
Craig Szczublewski

To improve security with sensitive online personal and corporate accounts, deploying Multifactor Authentication (MFA) is an effective solution at preventing takeovers. There are many Multifactor Authentication (MFA) tactics available that are effective and some are stronger than others. Recent hacking events called MFA Prompt Bombing have shown weaker MFAs are vulnerable.

Not All MFAs are Created Equal

An MFA requires users provide a username and password, and an additional authentication factor – fingerprint, one-time password, security key – before an account can be accessed. MFA implementations rely on a variety of different methods to deliver that second step of validation. Some methods use timed one-time passwords (TOTP), often a six-digit rotating code viewed in an authenticator app on smartphones, or optionally delivered via SMS/text messaging. Other methods may include biometrics or hardware keys to verify our identity. While these methods offer the best security, they can be complex to implement and tedious to use daily.

To reduce the deployment effort, there are less complex – and easier to exploit – methods that can use smartphone apps to receive push-style notifications, which asks if you are really trying to sign in. In other cases, it may even make a phone call to the user which requires a response with a key press.  These push-style implementations of MFA are targets for attack. An Ars Technica article by Dan Goodin covers how the recent Solar Winds hackers exploited the push-style MFA by using prompt bombing.

MFA Prompt Bombing Triggers User Fatigue

This style of attack tries to introduce MFA fatigue by relentlessly attempting logins with discovered credentials in the hope that the end-user will eventually get tired of receiving the notices asking if they are trying to log in and simply click “yes it’s me”, either intentionally or accidentally. Since many online providers do not have a limit set on the number of times a MFA request can be sent out, there have been reports of people receiving a hundred notices an hour, sometimes in the middle of the night.

If you have an MFA policy implemented using this type of push notification, the underlying technology is still considered secure as it requires the user to always get notified if authentication is attempted and is still better than not having any MFA at all. However, it is important to be vigilant of the notifications being received. A good resource is this Watchguard blog, How To Avoid MFA Prompt Bombing Attacks.

If you are getting notified about authorizing a login to a trusted system that you are not actively connecting to, always deny the request. In addition, that may mean your credentials could have been compromised as well, which should prompt you to change your password as soon as possible. If a TOTP method is available for your MFA implementation, or biometric options exist (commonly called FIDO2 for Fast Identity Online), moving to this type of deployment can mitigate these attacks designed to trick us. If you have questions about your MFA deployment or are interested in improving online security, please contact Aktion Associates so we can match the proper solution to your needs.