The recently reported breach at Uber highlighted a new social engineering, not technical, attack against multi-factor authentication (MFA) that everyone should be aware of. MFA greatly enhances a system’s ability to resist account takeover attacks, as the attacker must not only gain a user’s ID and password, they must also obtain a separate code or approval from a separate device, usually from an authentication application on the user’s smartphone in order to gain access to a user’s system or account. This latest attack against MFA, commonly known as multi-factor fatigue or MFA fatigue, uses the push notification capability of these authentication apps to annoy users into providing the final step of MFA authentication.
What is the attack?
Once a hacker has obtained a user’s credentials via phishing or some other means, they can then seek to obtain the final MFA factor by annoying the user into giving them access by sending them a constant barrage of authentication requests. These requests are automatically initiated by the attacker when they log into the user’s MFA-protected service, which, if the user is using an external authentication app, will automatically prompt the user (if so configured) to approve the final access. Users’ who are unaware of what is happening may just approve the request to make the notifications stop, not realizing that they have given the attacker access to their account.
How to spot the attack
Anyone who receives an authentication app approval request when they are already logged into their account, and especially if they receive another pop-up request if they deny the initial request, should view this as a potential MFA fatigue attack. As a precaution, they should reset the password for the impacted account if they suspect that someone else was attempting to log in. If this is a fatigue attack, this should stop the alerts as the attacker can no longer successfully log in to start the attack.
What can companies do?
Companies who have enabled MFA for access to their systems (which they should!) which make use of smartphone apps for the 2nd factor, should alert users to this attack behavior. For greater control, push notifications to MFA apps can be disabled (if possible), and TOTP (Temporal One Time Passcodes) passcodes can be enforced instead. Ultimately, the transition to the new FIDO2 standard for authentication should address this issue, at least until a yet unknown vulnerability is discovered in FIDO2 and the game of whack-a-mole continues.