DigiBank NewsBytes

5 Myths About MFA Prompt Bombing: How Companies Can Protect Themselves
Overwhelming users with authentication requests leads to fatigue, undermining MFA and increasing security risks.
December 20, 2023

Attackers use MFA prompt bombing to try to gain access to a system protected by multi-factor authentication (MFA). The tactic involves sending numerous MFA authorisation requests to a user within a short period in the hope that the user is simply overwhelmed by the volume of requests. The constant need for users to enter authentication codes or take additional steps to confirm their identity can lead to frustration, resulting in MFA fatigue. This makes it easier for attackers to bypass or disable security measures. This in turn undermines the effectiveness of the MFA and increases the risk of security breaches.

MFA prompt bombing is a specific method of attack and there are some misconceptions surrounding it. Nevis Security AG has summarised the five most common myths and provides tips on how to thwart these types of attacks:

MFA is always secure and therefore invulnerable to attack

The myth that MFA is always secure and not vulnerable to attack is based on the misconception that the use of multiple authentication factors automatically creates an impenetrable barrier. MFA does enhance security considerably by offering an extra layer of protection over and above the traditional password. However, the effectiveness of MFA is heavily dependent on whether it is implemented correctly. A lack of rate-limiting measures or inadequate detection of anomalies can even encourage MFA prompt bombing. Therefore, companies should not only introduce MFA but also ensure that its implementation can withstand the latest threats.

Only weak authentication methods are vulnerable

In reality, MFA prompt bombing can be successful even if strong authentication methods such as biometric features or hardware-based tokens are used. This is the case if the attackers are able to bombard the user with fake push messages. Using a combination of social engineering, phishing or other methods of deception, they manage to persuade the user to edit the fake MFA prompts. Users who are not sufficiently aware of the threat of MFA prompt bombing are more likely to respond to fake requests.

MFA prompt bombing requires advanced hacking skills

Crime-as-a-Service (CaaS) enables even less experienced hackers to use MFA prompt bombing. The proliferation of instructions and tools on the darknet also means that the technology is increasingly being used by ‘hobby criminals’. Companies must be able to adapt their security measures to different threat levels. Monitoring suspicious user behaviour is one of the prerequisites for this.

One-time protection against MFA prompt bombing is sufficient

Attackers are constantly developing new, more sophisticated techniques to overcome the security measures deployed by companies. That which is considered effective today may well be obsolete tomorrow. Static protection may not be sufficient to keep pace with the rapid development of threats. This is where a proactive security strategy – involving regular security checks, permanent monitoring measures, the updating of security protocols and the implementation of technologies that can respond to new threats – makes all the difference.

MFA prompt bombing only affects large companies

Companies of any size can fall victim to MFA prompt bombing. Smaller companies may be less well prepared – making them profoundly attractive to attackers. Adaptive authentication allows authentication requirements to be adapted dynamically, depending on user behaviour and context. The risk assessment is based on analyses of user behaviour and context and can determine the risk associated with a particular login. A low risk allows a seamless login process, while a higher risk will require additional authentication steps.

Stephan Schweizer, CEO of Nevis Security AG, explains: ‘It’s important to strike a balance between security and user-friendliness. This means that companies should implement appropriate security policies in order to profit from the advantages of MFA. But the number of authentication steps required should be kept within reasonable limits – so as not to impair user-friendliness and hence avoid MFA fatigue.’