Today, let’s expand our vocabulary to include the term “MFA Fatigue”: Multi-Factor Authentication Fatigue.
⏱ Reading time: 3 minutes
What is MFA Fatigue? Is push MFA actually safe?
When we at intension made two-factor authentication mandatory for everyone, the first reactions were “Do we have to?” or “Isn’t once a week enough?”. But unfortunately there are not many alternatives to make password-based logins more secure. TOTP-based methods, for example, are “annoying” because a code always has to be entered. Every day. No exception. But that is not what is meant here by MFA fatigue.
2FA: Does it have to be?
As a more convenient and therefore more popular alternative, Microsoft Authenticator had established itself with us. Instead of entering a 6-digit code that has to be read out by a TOTP app, a push message is sent to the mobile phone. The login attempt is then released by entering a PIN or checking a biometric feature. Until recently, this was particularly practical for owners of a smart watch, as here the push request could be confirmed directly by touch on the watch.
When push messages get on your nerves
It turns out that hackers have identified the human factor as a weak point here. If a push-based method is used, one point of attack is so-called MFA spamming. In this case, a user is permanently flooded with confirmation requests. The expectation is that at some point the user will confirm one of the requests either thoughtlessly and by mistake, or tired of the many requests and perhaps hoping to end the wave of spam. Bingo for hackers.
This approach to gaining access to an account is called “MFA Fatigue”. Alluding to the fatigue caused by persistent confirmation requests.
How to reduce the risk of MFA spamming?
Of course, something can be done about it. Providers can, for example, use adaptive authentication procedures to check incoming requests transparently for users. An evaluation is carried out on the basis of certain criteria, and authentication is only triggered via the second factor in the case of supposedly valid requests.
Rate limits also offer increased protection. In this case, the number of possible requests for the second factor is limited, or successive incoming requests are assigned an increasing waiting time.
Increased protection at Microsoft
Incidentally, Microsoft has decided to change the multi-factor authentication process via push in such a way that a short numerical code must also be entered after the push request in the app. This is displayed in the login window, and only the “second factor” sitting in front of the screen can read it and enter it in the app.
MFA spamming will thus no longer be successful in obtaining access. Nevertheless, providers must ensure that the two-factor mechanisms cannot be exploited to harass users with spam requests. Improvements are therefore to be striven for on both sides.
Passwordless into the future
We have often tagged our posts with #passwordless. Because compared to the app-based MFA procedures, there is a real plus in terms of security. Whether in the cloud with #passkeys or device-based, e.g. with USB sticks, modern passwordless procedures are the winners and, together with Keycloak, a good solution for a secure and good UX when logging in.