With so many organisations having already adopted MFA into their network security strategy, cybercriminals are now finding ways to manipulate and navigate around the MFA systems.
MFA Fatigue is a particularly prevalent technique that we’re seeing hackers using in today’s threat landscape. With many large organisations such as Uber and Cisco reported as being compromised in this way.
What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) is an authentication method that requires a user to provide additional verification to their password-protected account to gain access.
Using Multi-Factor Authentication is one of the most secure and effective ways of providing additional protection to your password-protected account. This process involves having additional factors to log in, meaning that users must present two or more different methods to prove their identity.
These multiple types of authentication can include:
- Knowledge: Information that only the user knows, such as a password, pin, or unique identifier.
- Possession: Something that only the user has, such as a security token /USB stick, or a mobile phone, where an access code will be sent to the contact number associated with the account.
- Inherence: Something only the user is, which includes the use of biometric data such as facial recognition, voice recognition or fingerprint scanning.
- Location: Somewhere the user is, this is usually applied in adaptive MFA, where checks are made based on the users’ location, for example granting access if on a company site or approved network location.
With Adaptive Threat Multi-Factor authentication solutions, they will also consider the risk of where the access request is being presented from, for example, it will analyse the user’s location and device before allowing access.
MFA offers an extra layer of security, and can also be incredibly effective for remote working, which has been a popular gateway to cyber-attacks, having opened a whole new set of vulnerabilities for cyber-criminals to exploit.
Microsoft reports that by providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks.
What is MFA Fatigue?
When an organisation utilises MFA, the authentication is often sent as a ‘push’ notification, which works as a simple prompt on the user’s mobile device to approve or deny when someone attempts to log in with their credentials. This is to confirm it’s the user logging in, and not a potential hacker.
MFA Fatigue comes into play when a hacker has already compromised a user’s password, whether that be via a phishing attack, brute force, or password spraying. But there is a secondary level of authentication required, the attacker will run a repetitive script that attempts to log in with the stolen credentials, causing a stream of constant MFA push requests to the user.
Doing this will ultimately get the targeted user so overwhelmed with the bombardment of push notifications, that they may give up, and click approve to stop the stream of notifications, and this will then let the cybercriminal in. We have seen many attackers target people overnight in an attempt of getting the person so frustrated with the constant notifications, especially in the middle of the night, that they just approve the authentication to stop the requests. In some cases, the hacker will also contact the targeted user through email, mimicking IT support to convince the user to accept the MFA prompt.
How To Protect Against MFA Fatigue
When it comes to preventing social engineering cyber-attacks, generating awareness and training your users on how to recognise attacks, has become one of the most significant ways to help prevent these scams and mitigate their possible consequences. If your users know that these types of attacks exist, they will likely be more vigilant and recognise the signs of suspicious authentication activity.
MFA Fatigue – Things for your users to be aware of :
- Be suspicious of multiple rapid authentication attempts
- Be suspicious of authentication attempts when you are not using services
- Be suspicious of authentication attempts outside of usual working hours
- Be suspicious of telephone calls or emails messages from someone claiming to be from your internal IT team, asking you to authenticate
- If in doubt, never authenticate without contacting your actual IT or security team for guidance
- Always report suspicious authentication behaviours to your IT or security team for investigation
Configure Your MFA Request Notifications
Within your preferred MFA solution, you should be able to limit the number MFA requests allowed, additionally you can change the push notifications to display differently for users, making it more difficult for a user to just select “yes – authenticate”, by setting up additional user challenges within your MFA requests, users are more likely to think about the “yes” decision, before making it.
Enabling MFA Number Matching or One-Time Codes
Many popular third-party authenticator applications, such as Microsoft Authenticator, also support more secure methods of two-factor authentication such as number matching, or One Time Codes (OTP)
With number matching, the user is asked to select two digits from a list of options on the authenticator app to match those shown on the login screen. This is only marginally more work for legitimate users to verify themselves while making the process considerably more secure. A variation of this may then require the user to enter the two-digit code shown on the login screen into the authenticator app, after which the session is authenticated.
With one-time-code or OTP authentication, the authenticator app displays a six to eight-digit code which changes every thirty seconds. This code must be typed into the login page and submitted before the code expires. This is somewhat less convenient for the legitimate user, but again, considerably increases the level of security over a simple confirm/denies prompt.
Using Single Sign On or SAML
MFA can also include a single sign-on (SSO) solution, which means the user can enter one password, to log in to several different apps seamlessly. With this usually being a red flag in password security practices, combining both MFA and an SSO solution can give this solution an extra layer of security.
When a user signs into an application that allows SSO, it creates a time-limited authentication token that remembers that the user is verified. This data will be stored in either the user’s browser or the SSO server. If the user hasn’t signed in before, they will have to enter their credentials to generate their token for single sign-on.
Security Assertion Markup Language (SAML) is an open authentication protocol that enables users to access multiple online applications, or services, with a single set of login credentials across domains. Using SAML, the authentication is centralised, and exchanged between the identity provider (IdP) and the service provider (SP), meaning that multiple web applications, can then leverage SAML via the identity provider to grant access to their users.
Combining SSO with MFA can considerably reduce the burden on users by dramatically lowering the number of times that they have to login with username/password/MFA prompts. This makes for an improved user experience as even if their login session may have timed out, they are able to log back in on the same device with a few mouse clicks. Security is maintained as if they change geographical location or client device, a fresh request for authentication will be triggered via appropriate Conditional Access policies.
Using a Hardware-Based Security “Key” to Authenticate
Security keys can be used as a hardware token for MFA but also for passwordless authentication, which is considered the most secure form of authentication. Users won’t need to remember long or complex passwords, so this has the benefit of both convenience and increased security with the token being protected by a PIN or biometric authentication.
Organisations with Azure AD or hybrid Azure AD joined devices can use security keys to authenticate to both cloud and on-premise resources. The security key will need to support the FIDO2 standard, and a list is available from Microsoft of all vendors offering compatible security keys.
Disabling Weaker Forms of MFA
Once more secure forms of MFA have been enabled, it is important to ensure existing users have all migrated to use this method and then disable the weaker, less secure MFA options. The security of an organisation is only as strong as its weakest link, and privileged users, with a weaker form of MFA, such as SMS, will become a target for attacks over those with more secure methods.
How our Security Services can help
Whatever the requirement, Krome’s team of industry-experienced professionals can help; we design and deliver comprehensive security solutions and assessments services that can help you to understand your current position, identify any gaps and strengthen your overall cybersecurity strategy, services include:
- Ransomware Recovery Assessment
- Phishing Assessment / Security Awareness Service
- Vulnerability Assessment & Remediation
- Cyber Essentials Plus Readiness Assessment
If you would be interested to learn more about how our security services can help you to understand where your systems or data is most vulnerable, and the steps required to protect your business, please get in contact using the form below.