Voice of the Industry

How dismantling MFA bombing can prevent ATO fraud

Monday 12 June 2023 10:58 CET | Editor: Irina Ionescu | Voice of the industry

Louise Watson, Product Marketing Manager at Ping Identity, tackles the evergreen topic of account takeover utilising the best-in-class techniques and technologies, including push notifications, and FIDO2 passwordless authentication.


Securing users and their finances doesn’t mean you must endure MFA fatigue. There are many tactics for dismantling MFA bombing that are secure and user-friendly, from limiting MFA prompts to a specific time frame and leveraging push notifications with number selection to utilising risk-based authentication and going passwordless. With these options, ecommerce and financial institutions can prevent account takeover (ATO) fraud and offer exceptional digital experiences.

MFA bombing dismantled

As multi-factor authentication (MFA) is now the identity security standard for ecommerce and financial institutions, attackers are evolving their tactics for bypassing MFA to commit account takeover fraud. One of the prominent attack vectors is called MFA bombing or flooding, which plays on a user’s emotions by manufacturing MFA fatigue. 

In essence, attackers take advantage of users by sending rampant push notifications. Many deny the prompts initially but get annoyed after receiving one every few seconds and approve the request.

 

Many organisations that handle users’ money encourage the use of MFA for its threat protection, but relying on users to manually approve authentication requests is now riskier than ever. Even when not under attack, organisations are quickly recognising that they are losing productivity from employees and revenue from customers by forcing MFA too often. Over 56% of consumers have abandoned an online experience because the login process was too frustrating1.

So, how can organisations reap the security benefits that MFA provides in the face of attacks and fatigue? There are four main options for dismantling MFA bombing, based on their complexity: 
  1. limiting MFA prompts to a specific time frame 

  2. leveraging push notifications with number selection 

  3. utilising risk-based authentication 

  4. going passwordless with FIDO2.

Limit the number of prompts in a specific timeframe

The easiest option to address MFA bombing is limiting the number of prompts sent to a user within a specific time frame. Even trained users may approve a push notification after being prompted ten times, so limiting the number of prompts to three, for example, can help. 

Unfortunately, the user must still respond to the notification, with many approving the first push. If limiting the prompts is the only option available to an organisation, it may be wise to consider this as a temporary solution. 

Push notifications with number selection

Another easy option to dismantle MFA bombing is using push notifications with number selection. This method forces proximity by presenting a two-digit number on the device and asking the user to select it from a list of options. For many, getting a push notification with a number selection without seeing the number on the accessing device will look suspicious, and they will report the attack. However, this method of MFA could still cause fatigue and open the door to account takeover.


Risk-based authentication

Beyond tweaking the settings of MFA prompts, risk-based authentication (RBA) is a more-targeted option for dismantling MFA bombing. RBA limits the need for and varies the method of MFA based on different conditions. While attackers cause MFA fatigue, an organisation’s cumbersome authentication policies can also be a root cause. 

RBA is adaptive and helps create intelligent access policies based on data inputs and risk signals. It makes authentication decisions smarter by learning the patterns of each user, device, location, network, etc., and providing a risk score. 

MFA policies use this score to determine whether to approve or challenge authentication and what method to use. For example, if the user attempts to log in from a known device at a known location, the risk of account takeover is low, and no MFA is required. However, if the login attempt is from an unknown device at a location that was never previously used, the risk of fraud is high and requires MFA via a QR code. 

With the right tools and configuration, low-risk users won’t experience MFA fatigue – whether caused by a hacker or the organisation itself. If prompts for MFA are rarer overall, a hacker’s attempt is less likely to slip by unnoticed. Some Ping Identity customers have reported between a 65% and 89% reduction in MFA prompts by leveraging RBA2. Check out Ping’s new RBA solution, PingOne Protect (available in Summer 2023).

 




Passwordless with FIDO2

FIDO2 (Fast Identity Online), the open standard for public key cryptography, allows users to authenticate biometrically on security keys or other FIDO-compatible devices. Generally considered the most secure way to authenticate, it forces proximity between the user and the accessing device while preventing man-in-the-middle and reverse proxy attacks. Above all, FIDO2 is the backbone of the passwordless experience, so it’s both highly secure and user-friendly.

Despite the advantages, adopting FIDO2 has been relatively slow, with many roadblocks, most of which relate to cost and complexity. Nonetheless, FIDO2 remains one of the best options for dismantling MFA bombing. 



  1. Ping Identity, ‘2021 Consumer Survey: Brand Loyalty is Earned at Login’

  2. Ping Identity, 2023 Customer Verified-Outcomes, Customer Success Program


About Louise Watson

Louise Watson began her career in public media, non-profit fundraising, and political advocacy after finishing her master’s in political management at George Washington University in Washington, DC. She specialised in membership, fundraising, and marketing at Rocky Mountain PBS and Donor Development Strategies before transitioning to lead customer and product development at ACD Direct. While at ACD, Louise became a certified Product Master via the Pragmatic Institute. She is now the Product Marketing Manager at Ping Identity and an avid skier and golfer in her spare time.
 

About Ping Identity

At Ping Identity, we believe in making enterprise experiences both secure and seamless for all users, without compromise. That’s digital freedom. To achieve this, the PingOne Cloud Platform turns you into an experienced artist who can bring exceptional journeys to life with a simple no-code canvas. You can deliver password-less authentication, protect user privacy, prevent fraud, architect for zero trust, and much more. For more information, please visit www.pingidentity.com.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: FIDO, online security, digital identity, identity verification, identity fraud, QR code, multi-factor authentication, fraud prevention, online payments, contactless payments, biometric authentication, account takeover, fraud detection, online authentication, two-factor authentication
Categories: Fraud & Financial Crime
Companies: Ping Identity
Countries: World
This article is part of category

Fraud & Financial Crime

Ping Identity

|
Discover all the Company news on Ping Identity and other articles related to Ping Identity in The Paypers News, Reports, and insights on the payments and fintech industry: