As multi-factor authentication (MFA) is now the identity security standard for ecommerce and financial institutions, attackers are evolving their tactics for bypassing MFA to commit account takeover fraud. One of the prominent attack vectors is called MFA bombing or flooding, which plays on a user’s emotions by manufacturing MFA fatigue.
In essence, attackers take advantage of users by sending rampant push notifications. Many deny the prompts initially but get annoyed after receiving one every few seconds and approve the request.
Many organisations that handle users’ money encourage the use of MFA for its threat protection, but relying on users to manually approve authentication requests is now riskier than ever. Even when not under attack, organisations are quickly recognising that they are losing productivity from employees and revenue from customers by forcing MFA too often. Over 56% of consumers have abandoned an online experience because the login process was too frustrating1.
limiting MFA prompts to a specific time frame
leveraging push notifications with number selection
utilising risk-based authentication
going passwordless with FIDO2.
The easiest option to address MFA bombing is limiting the number of prompts sent to a user within a specific time frame. Even trained users may approve a push notification after being prompted ten times, so limiting the number of prompts to three, for example, can help.
Another easy option to dismantle MFA bombing is using push notifications with number selection. This method forces proximity by presenting a two-digit number on the device and asking the user to select it from a list of options. For many, getting a push notification with a number selection without seeing the number on the accessing device will look suspicious, and they will report the attack. However, this method of MFA could still cause fatigue and open the door to account takeover.
Beyond tweaking the settings of MFA prompts, risk-based authentication (RBA) is a more-targeted option for dismantling MFA bombing. RBA limits the need for and varies the method of MFA based on different conditions. While attackers cause MFA fatigue, an organisation’s cumbersome authentication policies can also be a root cause.
RBA is adaptive and helps create intelligent access policies based on data inputs and risk signals. It makes authentication decisions smarter by learning the patterns of each user, device, location, network, etc., and providing a risk score.
MFA policies use this score to determine whether to approve or challenge authentication and what method to use. For example, if the user attempts to log in from a known device at a known location, the risk of account takeover is low, and no MFA is required. However, if the login attempt is from an unknown device at a location that was never previously used, the risk of fraud is high and requires MFA via a QR code.
With the right tools and configuration, low-risk users won’t experience MFA fatigue – whether caused by a hacker or the organisation itself. If prompts for MFA are rarer overall, a hacker’s attempt is less likely to slip by unnoticed. Some Ping Identity customers have reported between a 65% and 89% reduction in MFA prompts by leveraging RBA2. Check out Ping’s new RBA solution, PingOne Protect (available in Summer 2023).
FIDO2 (Fast Identity Online), the open standard for public key cryptography, allows users to authenticate biometrically on security keys or other FIDO-compatible devices. Generally considered the most secure way to authenticate, it forces proximity between the user and the accessing device while preventing man-in-the-middle and reverse proxy attacks. Above all, FIDO2 is the backbone of the passwordless experience, so it’s both highly secure and user-friendly.
Ping Identity, ‘2021 Consumer Survey: Brand Loyalty is Earned at Login’
Ping Identity, 2023 Customer Verified-Outcomes, Customer Success Program
At Ping Identity, we believe in making enterprise experiences both secure and seamless for all users, without compromise. That’s digital freedom. To achieve this, the PingOne Cloud Platform turns you into an experienced artist who can bring exceptional journeys to life with a simple no-code canvas. You can deliver password-less authentication, protect user privacy, prevent fraud, architect for zero trust, and much more. For more information, please visit www.pingidentity.com.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now