MFA Prompt Bombing: Why a Cookie-Cutter MFA Solution Doesn’t Cut it Anymore


Have you ever been in a situation where an interesting but obscure subject is mentioned in conversations by different people in a short amount of time? I've experienced this phenomenon recently with some of our customers. The topic that's top of mind for them is MFA prompt bombing – a new sinister attack method. Before we jump into what it is and how it can be mitigated, let me take a moment to explain how it even came to be.

As more and more enterprises adopt multifactor authentication (MFA) to strengthen their security posture, attackers are tirelessly working their way through this second line of defense. But considering the maturity of MFA technologies, attackers have once again set their sights on the weakest link of the process, the human element, creating new intrusion tactics that rely on social engineering.

These tactics are increasingly effective due to the fact that MFA can be an annoyance to end users, adding extra steps on their way to accessing their accounts or applications. Depending on how MFA is configured and how well the systems are integrated, users might have to deal with one-time passcodes (OTPs) or push notifications multiple times a day – both in their personal and professional lives. These extra steps can, and do, lead to MFA fatigue, which dulls users' sensitivity to the occasional pop-ups, causing them to click through dialogs without paying much attention to what they are actually accepting.

What is MFA Prompt Bombing?

MFA prompt bombing attacks try to leverage MFA fatigue and get users to accept authentication attempts initiatied by the attacker. Hackers usually obtain user credentials in other ways, such as buying them on the black market, or using brute-force attacks and credential stuffing, which rely on reused and easily guessable passwords. These attacks will trigger the MFA over and over again by attempting login with those valid credentials. After multiple notifications, the user can accidentally (or even intentionally) give in.

The most susceptible "factor" for MFA bombing is push-based authentication because, in most cases, the user is only a tap away to approve an authentication attempt and, considering the backchannel nature of push, the user might not be around the device that initiated the flow.

All this tells us that cookie-cutter MFA methods without intelligence can easily give a false sense of security and it's worth going the extra mile to mitigate this increasingly popular attack vector. ForgeRock Intelligent Access gives customers the ability to build sophisticated, dynamic authentication journeys that can easily help them reduce the risk of successful MFA bombing attacks and secure the enterprise.

Top considerations to forge authentication jouneys that can fend off MFA prompt bombing attacks:

Allowing unlimited attempts is asking for trouble

Many out-of-the-box MFA solutions allow unlimited tries when it comes to triggering MFA. However, in real life, two rejected authentications in a row should be a strong signal that something is wrong. Once such suspicious behavior is detected, you should take action: temporarily lock the users, switch to another MFA method (if available), and/or raise alerts.

More context, better decisions

Most Authenticator Apps provide limited context to end users about the request they need to approve, which is a missed opportunity. Presenting the location, device information, and application context when requesting for user approval can be just enough to make the user aware that something is off, so they can deny the request and report the incident.

Make sure the user is THERE

Push-based MFA has a number of advantages: the underlying technology is considered secure, end users always get notified if somebody tries to authenticate with their credentials, and it provides a superior and easy user experience compared to other MFA options (think OTPs). However, the back-channel nature of this MFA method puts users in a risky position that they can approve a request even if they are far away from the actual browser that triggered the authentication. If MFA prompt bombing is a concern, you can always fall back on MFA methods that require the user to be present at the device that is authenticating – WebAuthn is a great example of this approach, but there are many others.

Embed it if you can

Authenticator apps are limited in nature. They serve a wide audience and multiple accounts at the same time. They are generic-purpose apps. Modern IAM vendors, such as ForgeRock, provide SDKs to embed the capabilities of the authenticators into your own apps. This way, companies have full control over their MFA experience to build out secure yet streamlined MFA flows and stop push bombing attacks.

Want to learn how ForgeRock can help prevent MFA prompt bombing and other threats? Contact us here.