bdoc

Post

MFA Fatigue: A Security Flaw That Should Wake You Up

With the widespread adoption of remote work and new digital practices, CISOs are facing an increasing threat of cyberattacks. To counter these threats and better protect access to information systems, all experts agree on the relevance of multi-factor authentication (MFA) solutions.

Indeed, according to the latest CESIN barometer, these solutions rank first among the most effective cybersecurity protection measures. The same conclusion was reached by experts at the Panocrim 2023 event organized by CLUSIF, where MFA was designated as “one of the top cybersecurity measures.”

The ANSSI (French National Cybersecurity Agency) has also taken a stance on the issue by placing it at the heart of its recommendations. In its guide on multi-factor authentication and password recommendations, the agency highlights the limitations of passwords and recommends MFA solutions to enhance the security of simple authentications (by password) by adding additional elements.

Consequently, we are witnessing a significant rise in multi-factor authentication within many organizations aiming to strengthen their security posture to adapt to the cybersecurity landscape. With a usage rate of 63% for end users and 71% for administrators, deployment is booming!

However, there is always a downside… In light of this enthusiasm, MFA has become a prime target for cyber attackers, who aim to bypass organizations’ security barriers. It is in this context that MFA fatigue attacks have emerged on the cyber scene.

How Does an MFA Fatigue Attack Work?

MFA fatigue is a cyberattack targeting a specific authentication factor commonly used by multi-factor and passwordless solutions: the mobile push notification. The hacker’s strategy involves sending incessant notification floods to “wear out” the user, hence the name MFA fatigue. The goal is for the user to eventually relent and approve one of them, thus granting cyber attackers access to their account.

This attack relies on social engineering, a psychological manipulation technique for fraud purposes. The fraudsters exploit human weaknesses by targeting the user’s patience at late hours when exhaustion might lead to errors.

Let’s take a concrete example: the case of Uber, which made headlines last September. The cyberattack began when the attacker managed to obtain the password of an Uber subcontractor. The attacker then attempted to log into the subcontractor’s Uber account, triggering a validation request notification that the user initially refused, thus blocking the attacker’s access.

However, the attacker reported that in addition to sending notifications for over an hour, they also contacted the user via WhatsApp, posing as Uber’s security team to persuade them to accept one of the requests, which the user eventually did in good faith!

This attack had serious consequences for Uber, as the hacker reportedly managed to breach the company’s servers, leading to a wide compromise of its internal systems.

Every Authentication Method Has Its Weaknesses

Understanding Their Limitations to Strengthen Your Strategy

While only authentication schemes employing push notifications are susceptible to MFA fatigue, it is important to emphasize that all authentication methods have their limitations.
The more a technology becomes popular and widespread within organizations, the more it is targeted by fraudsters seeking to bypass it by any means. Who, for instance, hasn’t heard of SIM swap? This hack targets the authentication method via SMS code by redirecting the SMS to the cyber attackers’ smartphone. To achieve this, fraudsters only need a few easily accessible personal details about their target: phone number, date of birth… They can then impersonate the victim to contact their telecom operator and obtain a new SIM card associated with the SMS recipient’s number.
Without delving into the specifics of all attacks dedicated to each method, keep in mind that most authentication solutions are susceptible to phishing attacks.
Only FIDO and WebAuthn technologies can counter this type of attack. However, “physical” keys also have limitations: they are particularly vulnerable to loss or theft and can complicate the user experience.
From identification to strong, multi-factor, and adaptive authentication, there is no universal and infallible method. That said, we agree with the observation made at Panocrim 2023: better to have attackable MFA than no MFA at all! Understanding the strengths and weaknesses of each authentication method should enable you to build an optimal IAM strategy tailored to the various use cases of your organization.

Balancing User Comfort vs. Security

Why has authentication via mobile push notification attracted so many organizations? Simply because it allows for simple and quick user connections, making users more inclined to use it! Let’s remember that we live in an era where users’ digital needs converge around ergonomics, speed, and personalization. Authentication solutions are no exception: a unified and seamless access journey must be provided for a smooth user experience.
This observation leads us to one of the biggest challenges for CISOs: finding the right balance between security and user experience. Neglecting comfort in favor of more complex authentication methods is counterproductive: any technology, no matter how effective, is inevitably rejected by users if deemed too restrictive. Users do not engage with offered services and circumvent system security if it is not user-friendly, thus exposing the company to threats.
To avoid imposing an unsuitable method, we recommend adapting your authentication method to the criticality level of your resources. The more sensitive the data, the higher the level should be, as with access to administrative accounts, for example. Conversely, when accessing risk-free resources, prioritize a method that offers more comfort to your users. It’s all about finding the right balance!

How to Limit MFA Fatigue Attacks?

Focus on Push Notifications

If you wish to implement an MFA solution via push notifications within your organization, it will be absolutely essential to conduct awareness campaigns for your users. Since MFA fatigue targets human vulnerabilities, having employees aware of this type of attack will reduce the risk of error and intrusion into your IS. In general, employee awareness is a pillar of any cybersecurity strategy.
Technical solutions can also help mitigate the risk of attack. For instance, pull notifications as an authentication factor are widespread in the banking sector: in this scheme, the user must open their application to trigger the notification. It is then impossible for cyber attackers to send notification floods to their victim.
Another example: using a challenge. Instead of simply validating the notification, the user must confirm the challenge presented to them—usually in the form of a number or image. To validate this challenge, they must, for example, select the correct number on their phone according to the instruction displayed on the authentication screen.
Adding this step enhances security. This way, the risk of the victim mistakenly confirming a notification due to a flood sent during an attack is reduced.
These two techniques better protect authentication via notification against MFA fatigue attacks, but keep in mind that humans remain the center of the vulnerability. If the attacker manipulates them more deeply (by contacting them via WhatsApp, for example), the risk persists. Therefore, if critical data is at stake, it’s better to opt for other methods less susceptible to human vulnerability.

Fido2 and WebAuthn, a Good Compromise?

The use of Fido2 and WebAuthn technologies for authentication leaves less room for user error compared to multi-factor technologies such as notification validation.
To increase the reliability of user authentication, they rely on robust cryptographic protocols and hardware or biometric keys, such as secure USB keys or PCs with integrated fingerprint recognition sensors.
Implementing these technologies protects your IS from many threats, including MFA fatigue and phishing. However, the downside is that its implementation can be more costly and its use less ergonomic for your employees, especially for physical tokens.
Once again, it is a matter of balancing ergonomics/security/cost specific to each organization. The perfect authentication method does not exist; you must find the one best suited to your challenges and priorities!

Adjusting Security Levels with Adaptive and Contextual Authentication

Based on a dynamic risk analysis, adaptive authentication is a highly relevant technology. It reconciles ergonomics and security by offering varied methods and enhancing the level of authentication when a risk is detected to ensure the authenticity of approval.
The method involves calculating the reliability level of an authentication request at a given moment. The evaluation relies on contextual criteria: device used, connection location and time, geoprofiling, application sensitivity, user profile, etc. Thus, when a user wishes to access an application, they will be asked for different authentication levels, depending on the confidence level assessment. If the risk is too high, the connection can be blocked.
In this way, adaptive authentication can stop an MFA fatigue attack by not allowing repeated notifications or from unusual geolocations.
This technology addresses the most complex use cases, and we recommend seeking guidance from experts in the field to pragmatically and iteratively build your project. This is how you can implement evolving and robust IAM solutions, a key component of cybersecurity!
Thanks to our experience in identity and access management, our experts have successfully supported the specific needs of our 300 clients on the Ilex IAM Platform. This expertise allows us to offer you a sustainable and scalable foundation designed to meet your unique requirements.

Limiting Your Intrusion Surface with the Zero Trust Approach

A well-suited authentication method for your organization thus reduces the risk of human errors that could lead to an intrusion into the IS. However, the threat remains if attackers decide to go further in their manipulation.

For even more optimal security, it is essential to ensure that, even if the attacker manages to compromise a first line of defense, accessing all resources is impossible. To achieve this, two key rules of the Zero Trust approach can be applied:

  • The user must re-authenticate whenever they wish to change environment or context.
  • Access permissions must be defined according to the principle of least privilege.

Recommended by the ANSSI and the NIST, the Zero Trust architecture model effectively reduces the impact of your organization’s security incidents by limiting the intrusion area, as we previously discussed in our article on the Zero Trust Network Access approach.

By ensuring that access to critical resources is limited to authorized individuals only, an IAM strategy addressing adaptive authentication fits perfectly into the Zero Trust approach.

Zero Trust and IAM are, in fact, closely linked: by relying on a comprehensive IAM platform that combines multi-factor and contextual authentication technologies, access control, and permissions management, you can establish a systematic, continuous, and dynamic access verification process, compliant with a Zero Trust security policy adapted to the current digital context.

To return to and conclude on MFA fatigue, it is crucial to consider these attacks in your access management strategy because it is not an inevitability.

By opting for adaptive authentication, you will instantly reduce intrusion risks while laying the foundation for a Zero Trust architecture within your organization.

Guillaume Guerrin
Pre-sales Director Inetum Software
Cybersecurity Solutions