Many organizations implement multi-factor authentication (2FA, MFA) that uses PUSH notification to protect their employees and customers. The process is simple: you type in your password, receive a notification that is “pushed” to your smartphone, and approve the access. Many Identity Providers (IDPs) and 2FA products work in this way. The problem with PUSH-based authentication is that, like most things, it can be exploited.
According to Kaspersky, PUSH-based attacks grew nearly 70% in 2019. While still nascent, PUSH attacks are quickly becoming a problem.
Consider this: what happens when you’re busy, immersed in your work, and you receive a notification on your phone to approve?
Do you always read the notification? Is it a message or a prompt asking for your approval?
How likely are you to casually approve it, or do so out of habit, just to get on with your day?
Would a less tech-savvy user in your organization tap “Approve” on their mobile app when they get the notification?
The reality is they are likely to do so. For years people have hastily approved a PUSH notification here and there – not knowing or understanding the repercussions it has on their work environment. In 2018, malicious actors exploited this concept of “PUSH fatigue”, as it is known, multiple times in concert with phishing tools such to target politicians involved in the economic and military sanctions against Iran.
The lack of awareness is concerning and is being exploited by bad actors. The inability to determine a real PUSH notification from a malicious one, combined with the autopilot user habit of approving them has allowed for a new attack vector. Sending fake approval messages to a user is nothing new, we’ve seen them take the form of SMS phishing, fake login pages and of course the classic Google Drive email attachment.
PUSH notification attacks take advantage of a few key factors:
The attackers prey on a particular lack of awareness on the user’s part. Many people outside the Security Operations Center (SOC) don’t even know this is happening. Companies invest heavily on security education to protect employees from falling victim to password phishing and more traditional attacks. It’s going to be a while before the PUSH problem is part of users’ daily vocabulary.
PUSH-based approvals are often introduced to the enterprise along with a MFA app such as the SalesForce Authenticator. The user associates the action of approving a request with a security feature. So, it’s no surprise people aren’t quick to be suspicious of this functionality.
Between texts, emails, Spotify alerts, our smartphones are overloaded with notifications. There is simply too much information to process — and hackers can take advantage of this overload. Users who receive dozens or even hundreds of notifications a day are not likely to think about or even see all of them. The likelihood of a single rogue login approval being overlooked or approved by accident is low, but at scale it becomes a very promising attack vector.
I’ve got some bad news for you. PUSH-based authentication is the industry standard and it’s not going to disappear anytime soon.
The good news? There are alternative authentication flows that can secure your user experience, increase your login speed, and don’t require you to stop using PUSH.
Taking a Mobile-First Approach to Authentication
One solution is to deploy mobile-initiated authentication at the front door to your corporate experience: your computer.
When you combine mobile-first login with Integrated Windows Authentication (IWA), also called desktop SSO, you can achieve a very high level of assurance for desktop login, web applications and Single-Sign On. It’s more secure than a PUSH-based login and it gives you instant access across SSO-protected apps and corporate resources.
For example, with True Passwordless SSO by HYPR, your smartphone acts as a remote control for your computer. You tap on the HYPR mobile app to select your computer, provide your preferred biometric or decentralized PIN, and gain access to your desktop.
Mobile-initiated authentication for desktop SSO addresses multiple threats:
The login action is initiated by the user. This requirement signals a clear intent to login. Moving the first step from the desktop to the smartphone keeps a malicious actor from spamming the user with requests to access their workstation, and subsequently, all of their corporate resources.
Login of this kind is phishing-resistant, preventing you from inadvertently approving any access request because it’s an active process that begins on your smartphone. Access is granted only when you make the conscious decision to unlock your smartphone.
HYPR’s mobile-first login does not utilize passwords. Going passwordless also means you’ll worry less about credential stuffing, brute force, and SIM swapping attacks that are common among legacy, password-based MFA solutions.
MFA By Design
In case this needs clarification, the mobile-initiated login method is Multi-factor by design. It provides factors for:
Now that the user has strong authentication into their computer, your SSO provider can extend that strong binding to provide seamless access into other resources across the enterprise without additional friction.
With PUSH-based MFA, organizations are relying on the weakest link known to security — people. As we’ve seen with passwords, we cannot rely on people to properly secure themselves. Why? Because it is human nature to take the path of least resistance. This includes recklessly accepting PUSH notifications so we can continue on with our day.
As cyberthreats evolve, so must our security solutions. Here are key takeaways to help your organization steer clear of PUSH attacks:
FIDO2 increases your security posture and will prevent additional exploitable PUSH attacks. In our next post we’ll take a closer look at how WebAuthn is already making an impact on reducing the risk of PUSH attacks.