Mobile Push MFA provides a second layer of authentication and is highly favored by workforce users for its streamlined access. While convenient, this method can also pose security risks: Push MFA is vulnerable to push bombing attacks, where attackers having acquired the victim’s password (1st factor) inundate the user with fraudulent access requests triggering a deluge of push notices. If a user falls for this, the protection MFA provides is nullified.
What are MFA Push Bombing Attacks?
Push bombing is a targeted MFA fatigue attack where an attacker initiates numerous login attempts against the target’s SSO portal or exposed corporate apps and services. Using phished, stolen, or leaked passwords, attackers need the victim to approve the second factor delivered to their smartphone. This method works because employees frequently re-authenticate throughout the day, creating a habit attackers can exploit. Continuous requests by attackers can frustrate users and increase the likelihood of accidental approval.
How Push Bombing Works
Push bombing can range from simple attacks on individual employees to more complex strategies targeting larger enterprises. The attack targets the preventive identity defenses during initial access phase of the five stages cycle:
- Reconnaissance: The attacker studies the target’s workflows and publicly exposed resources.
- Credential Access: The attacker obtains the target’s credentials through phishing, password cracking, or from the dark web.
- Initial Access: The attacker initiates repeated access requests, resulting in multiple push notifications to the victim. They may use tactics such as fake IT help desk calls to deceive the victim into approving the request.
- Lateral Movement: After gaining access, the attacker often moves laterally within the enterprise, aiming to acquire more valuable assets.
- Impact: The attacker may deploy ransomware, exfiltrate data, or install backdoors for future access.
Measures to Stop Push Bombing Attacks
Preventing successful push bombing attacks involves both educating users and using advanced MFA technologies.
User Education
Training employees to recognize social engineering attacks like push bombing is essential. However, even extensive training cannot prevent all users from falling for attacks. Studies show that even after intensive training, a high percentage (5%) of users still click on phishing links.[1] Therefore, technical solutions are also necessary.
Adaptive MFA Techniques
Adaptive MFA adds intelligence to traditional MFA workflows to address anonymous indicators. Upon detection, the MFA platform enforces additional steps, such as verifying geolocation, entering one-time passwords (OTPs), or addressing request frequency violations to prevent push bombing. These techniques improve resource protection but have limitations.
Phishing-Resistant MFA Techniques
The latest advancement against push bombing is phishing-resistant MFA, which aims to eliminate user vulnerabilities in phishing attacks. It employs pinning techniques to bind users, workstations, and browsers to specific applications and services. This typically involves hardware tokens like X.509 smart cards, USB keys, FIDO2 tokens, or other cryptography channel binding techniques, like the tokenless Octopus Desktop-to-App Pinning making unauthorized access impossible without the physical or virtual tokens.
Combat Push Bombing with Secret Double Octopus and iC Consult
Adopting a modern MFA platform like Secret Double Octopus provides comprehensive protection against push bombing and phishing attacks. This platform makes it easy for companies to implement advanced MFA technologies, including passwordless MFA, adaptive MFA, and phishing-resistant MFA.
- Passwordless MFA: The Octopus platform eliminates the need for passwords, significantly reducing phishing risks and improving user experience and productivity.
- Adaptive MFA: The platform escalates authentication in response to unusual access attempts, enhancing security through geolocation verification, biometric requirements, and additional OTP codes.
- Phishing-Resistant MFA: The platform supports hardware-based FIDO2 tokens and tokenless desktop-to-App pinning, using public and private key pinning for secure authentication.
As attackers innovate, enterprises must modernize authentication methods to combat threats like push bombing. iC Consult can support your organization with transitioning to a passwordless MFA system like Secret Double Octopus, which integrates seamlessly with existing directories and helps you enhance security, improve user experience, and boost operational efficiency. Get in touch with our experts anytime for further assistance.