Organizations frequently implement multi-factor authentication (2FA, MFA) that uses push notification to protect their employees and customers. The process is simple: you type in your password, receive a notification that is “pushed” to your smartphone, and approve the access. Many Identity Providers (IdPs) and MFA products work in this way. The problem with push notification MFA is that, like most things, it can be exploited.
- The 2022 Passwordless Security Report found that push attacks grew 33% year over year
- Push attacks are a favorite tactic of Nobelium, the Russian hacking group behind the massive Solar Winds supply chain attack
- The recent attacks by the Lapsus$ hacking group underscore the level of risk push notification MFA creates for organizations.
What Are Push Attacks?
Push attacks (also called push notification attacks, push fatigue attacks and MFA-prompt bombing) are used by malicious actors to get past push notification MFA. The attacker is usually already in possession of a valid username and password. With 15 billion stolen passwords available on the dark web, this is trivial. The attacker spams the victim with notifications to authenticate until they are fatigued and finally accept it. When deployed on a mass scale using automated attack tools, even a 3% success rate is significant.
How Does a Push Attack Work?
Consider this: what happens when you’re busy, immersed in your work, and you receive a notification on your phone to approve?
Do you always read the notification? How likely are you to casually approve a message or prompt out of habit, just to get on with your day? Would a less tech-savvy user in your organization tap “Approve” on their mobile app, even if it was a fake push notification?
The reality is that they are very likely to do so. Push notifications have become so numerous that people often hastily approve them — not knowing or understanding the repercussions this can have on their work environment. In 2018, malicious actors exploited this tendency toward “push fatigue” multiple times in concert with phishing tools such to target politicians involved in the economic and military sanctions against Iran. More recently, large swaths of Microsoft 365 users were targeted in a push attack campaign.
Push Attack Vulnerability Factors
Push notification attacks take advantage of a few key factors:
The attackers prey on a particular lack of awareness on the user’s part. Many people outside the Security Operations Center (SOC) don’t even know this is happening. Companies invest heavily on security education to protect employees from falling victim to password phishing and more traditional attacks. It’s going to be a while before the push attack problem is part of users’ daily vocabulary.
Push-based approvals are often introduced to the enterprise along with an MFA app such as SalesForce Authenticator. The user associates the action of approving a request with a security feature. Given this, It’s understandable that people aren’t quick to be suspicious of this functionality.
Between texts, emails, Spotify alerts, etc., our smartphones are overloaded with notifications. There is simply too much information to process — and hackers take advantage of this overload. Users who receive dozens or even hundreds of notifications a day are not likely to think too hard about them. The likelihood of a single rogue login approval being overlooked or approved by accident is low, but at scale it becomes a very promising attack vector.
Compromisable Push Notification MFA
Of course the elephant in the room in common here is the fact that standard push notification MFA is inherently flawed and increasingly being used as an attack vector.
Can You Prevent Push Attacks?
The good news is that you can use alternative authentication flows that better secure your users, increase your login speed and provide a smoother user experience.
Taking a User-First Approach to Authentication
One solution is to deploy mobile-initiated authentication at the front door to your corporate experience: your computer.
When you combine user-first login with desktop SSO, you can achieve a very high level of assurance for desktop login, web applications and Single sign-on. It’s more secure than a push-based login and it gives you instant access across SSO-protected apps and corporate resources.
For example, with HYPR True Passwordless™ MFA, your smartphone acts as a remote control for your computer. You tap on the HYPR mobile app to select your computer, provide your preferred biometric or decentralized PIN and gain access to your desktop.
User-initiated authentication for desktop SSO addresses multiple threats:
- Clarifying Intent: The login action is initiated by the user. This requirement signals a clear intent to login. Moving the first step from the desktop to the smartphone keeps a malicious actor from spamming the user with requests to access their workstation, and subsequently, all of their corporate resources.
- Stops phishing: Login of this kind is phishing resistant, preventing you from inadvertently approving any access request because it’s an active process that begins on your smartphone. Access is granted only when you make the conscious decision to unlock your smartphone.
- Elimination of passwords: HYPR’s mobile-first login does not utilize passwords. Going passwordless also means you’ll worry less about credential stuffing, brute force, and SIM swapping attacks that are common among legacy, password-based MFA solutions.
MFA By Design
The mobile-initiated login method is multi factor by design. It provides factors for:
- Something you are: your fingerprint, face scan, or other biometric recognition.
- Something you have: your smartphone, which acts as a physical FIDO token, similar to a smart card.
- Something you know: a decentralized PIN that’s also stored safely on your device.
Now that the user has strong authentication into their computer, your SSO provider can extend that strong binding to provide seamless access into other resources across the enterprise without additional friction.
Log into SSO With QR Code
Passwordless MFA that supports QR code scanning provides the strongest protection against push attacks. This eliminates push notifications entirely, even for direct SSO login. HYPR’s QR Login feature lets users log into their SSO-managed web apps by scanning a QR code with the HYPR App or camera on their smartphone.
This prevents push fatigue and its potential for push attacks. It gives more control to the end-user as they initiate their authentication by scanning the code rather than waiting for a push notification to arrive on their smartphone. QR Code login is also inherently multi factor as it utilizes something you have (your HYPR-registered phone) and something you are (biometric validation).
Preventing Push Attacks: Key Takeaways
With push notification MFA, organizations are relying on the weakest link known to security — people. It’s human nature to take the path of least resistance, including recklessly accepting push notification authentication requests so we can continue on with our day.
As cyberthreats evolve, so must our security solutions. Here are key takeaways to help your organization steer clear of push attacks:
- Push-based MFA is subject to bypass commonly used tools such as Modlishka and phishing.
- Initiating login on the user’s smartphone creates a phishing-resistant flow so your employees cannot be tricked into logging into the enterprise.
- Mobile-initiated login at the desktop is inherently multi-factor, this means you can leverage your SSO provider for instant access to cloud and web applications.
- QR Code login to SSO eliminates push notifications entirely from the authentication process.
This post was originally published on October 27, 2020. It has been updated to reflect new data and information on push notification attacks as well as new technology innovations.