Despite the benefits that MFA provides, cyber threat actors continue to use multiple techniques to bypass it. Last week, the Los Angeles County Department of Health Services disclosed a data breach caused by an MFA push notification spamming attack that is believed to have impacted roughly 47,000 individuals. Sector (healthcare) notwithstanding, this tactic continues to be widely used by threat actors against employees across every type of organization or business. While MFA provides significant benefits for securing accounts, it’s important to carefully plan its implementation and to educate users on the ways it can be bypassed, such as through MFA fatigue/MFA prompt bombing.
Threat actors barrage users with unauthorized MFA prompts with the hope they’ll accept the prompt to make it stop or by accident. Lapsus$, the extortion group identified as the group that breached Microsoft, Okta, and Nvidia claimed to have worn down victims with repeated MFA push notifications, including a Microsoft employee. According to a message captured from the Lapsus$ Telegram channel, “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.” However, the important bit about MFA fatigue, perhaps more important than the potential victim accepting an unauthorized push request, is that the threat actor already has the target user’s valid credentials which are required to prompt for the push in the first place.
To combat MFA fatigue and other MFA bypass tactics, CISA strongly urges organizations to implement phishing-resistant MFA as part of applying Zero Trust principles. While any form of MFA is better than no MFA and will reduce an organization's attack surface, phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort.
MFA Bypass Defenses for Consideration
To reduce the risk and protect your utility and users from succumbing to MFA bypass, consider the following in your MFA implementation:
- Train it. Include MFA bypass themes, like the ones highlighted in this post, in simulated phishing exercises and awareness education and discussions.
- Configure it. Ensure MFA settings are properly configured to protect against things like "fail open," re-enrollment, or initial device enrollment scenarios.
- Randomize it. Make sure user session identifiers are unique and randomly generated.
- Expire it. Configure timeouts before requiring MFA to a minimum acceptable timeframe (preferably at each login) so a threat actor cannot maintain persistence with a stolen session token.
- Force it. If a user reports repeated unauthorized MFA push notifications, immediately force a password reset.
- Harden it. Implement a FIDO2-compliant (phishing-resistant) security key for multi-factor authentication.
- Fake it. Encourage users to never use real answers in response to recovery questions (and to use a password manager).
- Disable it. Disable inactive accounts uniformly in active directory, MFA, etc. so they cannot be leveraged to reenroll in MFA.
- Monitor it. Monitor network logs continuously for suspicious activity.
- Alert it. Implement appropriate security policies to alert on things like impossible logins.