Organizations frequently implement multi-factor authentication (2FA, MFA) that uses push notification to protect their employees and customers. The process is simple: you type in your password, receive a notification that is “pushed” to your smartphone, and approve the access. Many Identity Providers (IdPs) and MFA products work in this way. The problem with push notification MFA is that, like most things, it can be exploited.
Push attacks (also called push notification attacks, push fatigue attacks and MFA-prompt bombing) are used by malicious actors to get past push notification MFA. The attacker is usually already in possession of a valid username and password. With 15 billion stolen passwords available on the dark web, this is trivial. The attacker spams the victim with notifications to authenticate until they are fatigued and finally accept it. When deployed on a mass scale using automated attack tools, even a 3% success rate is significant.
Consider this: what happens when you’re busy, immersed in your work, and you receive a notification on your phone to approve?
Do you always read the notification? How likely are you to casually approve a message or prompt out of habit, just to get on with your day? Would a less tech-savvy user in your organization tap “Approve” on their mobile app, even if it was a fake push notification?
The reality is that they are very likely to do so. Push notifications have become so numerous that people often hastily approve them — not knowing or understanding the repercussions this can have on their work environment. In 2018, malicious actors exploited this tendency toward “push fatigue” multiple times in concert with phishing tools such to target politicians involved in the economic and military sanctions against Iran. More recently, large swaths of Microsoft 365 users were targeted in a push attack campaign.
Sending fake approval messages to a user is nothing new, we’ve seen them take the form of SMS phishing, fake login pages and of course the classic Google Drive email attachment.
Push notification attacks take advantage of a few key factors:
The attackers prey on a particular lack of awareness on the user’s part. Many people outside the Security Operations Center (SOC) don’t even know this is happening. Companies invest heavily on security education to protect employees from falling victim to password phishing and more traditional attacks. It’s going to be a while before the push attack problem is part of users’ daily vocabulary.
Push-based approvals are often introduced to the enterprise along with an MFA app such as SalesForce Authenticator. The user associates the action of approving a request with a security feature. Given this, It’s understandable that people aren’t quick to be suspicious of this functionality.
Between texts, emails, Spotify alerts, etc., our smartphones are overloaded with notifications. There is simply too much information to process — and hackers take advantage of this overload. Users who receive dozens or even hundreds of notifications a day are not likely to think too hard about them. The likelihood of a single rogue login approval being overlooked or approved by accident is low, but at scale it becomes a very promising attack vector.
Of course the elephant in the room in common here is the fact that standard push notification MFA is inherently flawed and increasingly being used as an attack vector.
The good news is that you can use alternative authentication flows that better secure your users, increase your login speed and provide a smoother user experience.
One solution is to deploy mobile-initiated authentication at the front door to your corporate experience: your computer.
When you combine user-first login with passwordless desktop SSO, you can achieve a very high level of assurance for desktop login, web applications and Single sign-on. It’s more secure than a push-based login and it gives you instant access across SSO-protected apps and corporate resources.
For example, with HYPR'S Passwordless MFA, your smartphone acts as a remote control for your computer. You tap on the HYPR mobile app to select your computer, provide your preferred biometric or decentralized PIN and gain access to your desktop.
User-initiated authentication for desktop SSO addresses multiple threats:
The mobile-initiated login method is multi factor by design. It provides factors for:
Now that the user has strong authentication into their computer, your SSO provider can extend that strong binding to provide seamless access into other resources across the enterprise without additional friction.
Passwordless MFA that supports QR code scanning provides the strongest protection against push attacks. This eliminates push notifications entirely, even for direct SSO login. HYPR’s QR Login feature lets users log into their SSO-managed web apps by scanning a QR code with the HYPR App or camera on their smartphone.
This prevents push fatigue and its potential for push attacks. It gives more control to the end-user as they initiate their authentication by scanning the code rather than waiting for a push notification to arrive on their smartphone. QR Code login is also inherently multi factor as it utilizes something you have (your HYPR-registered phone) and something you are (biometric validation).
With push notifications, organizations are relying on the weakest link known to security — people. It’s human nature to take the path of least resistance, including recklessly accepting push notification authentication requests so we can continue on with our day.
As cyberthreats evolve, so must our security solutions. Here are key takeaways to help your organization steer clear of push attacks:
This post was originally published on October 27, 2020. It has been updated to reflect new data and information on push notification attacks as well as new technology innovations.