TUCU Managed IT Services Logo
Schedule A Call
MFA fatigue attack sends multiple texts to user

MFA Fatigue Attacks: What Is Push-Bombing?

Update

New ways to bypass 2 factor authentication are working against account owners now. Check out our new video and post.
See Video & Post →

In this post we cover a new threat called MFA fatigue attacks, also known as push-bombing, so that if it happens to you or your team, you know what to do.

Multi-factor authentication (MFA) remains essential for account security, but push-bombing attacks exploit the notification approval process to bypass this protection. Understanding how these attacks work helps your team recognize and respond appropriately when targeted.

How do MFA Fatigue attacks such as push-bombing work?

With 2FA, receiving a notification is a normal part of the login process. It’s something you are familiar with.

With push-bombing, hackers already have your password. They may get compromised credentials through phishing or from a data breach password dump.

With the correct password, they target the push notification process. They attempt to log in many times in quick succession. This sends you several push notifications, one after the other.

Many people will question the receipt of an unexpected code that they didn’t request, but when someone is bombarded with these, it can be easy to mistakenly click to approve access.

If it happens to you, put down the phone until the notifications stop. You don’t want to accidentally click allow and give away access to your account.

Once the notifications stop, log in and change your passwords because chances are very good that your password has been compromised.

Push-bombing is a form of social engineering attack designed to:

  • Confuse the user
  • Wear the user down
  • Trick the user into approving the MFA request to give the hacker access

These attacks have increased significantly as more organizations implement MFA. For businesses, a successful push-bombing attack can lead to email compromise, data theft, and failed vendor security screenings if attackers access administrative accounts.

Stay calm and remember these tips.

How to stop MFA Fatigue attacks.

Educate your employees.

Between 2019 and 2021, account takeover (ATO) rose by 307%.  Take time to educate everyone on your team about the risks. Aside from risks, MFA fatigue attacks can be confusing and stressful. By arming your employees with awareness and education before hand, they will be better able to recognize the attack and stay calm. Share this post with them. Remind them on what not to do if they receive 2FA notifications they didn’t request. Ask staff to report these attacks to your IT company so that they can alert other users and help them to secure their login credentials if needed.

Curate and reduce approved apps.

If you are not already using an application security tool, now is the time to consider reviewing and reducing the number of approved apps for use across your organization. This will help twofold by:

  • reducing the number of login credentials each staff must maintain
  • re-assess the security of each app

On average, employees use 36 different cloud-based services per day and with each login there comes a risk of a stolen login credential.

Review your productivity suite for additional apps and services you can access behind a single login. By maximizing your Microsoft 365 subscription or Google Workspace accounts, you can improve productivity and security in one move.

Consider phishing-resistant MFA solutions.

SMS messages are easier to spoof and exploit with tactics like push-bombing attacks.  Consider moving to a different form of MFA. Microsoft’s new code authentication is a step in the right direction. Other options for phishing-resistant MFA include a device passkey or physical security key for authentication. These are a bit more complex to set up, but it’s also more secure than text based 2FA.

Create strong password policies.

MFA fatigue attacks bypass 2FA when hackers already have passwords. Educate your team on password security and use password enforcement tools where you can.  Strong passwords for every staff member and every account helps protect your business.

Standard practices for secure password policies include:

  • Using both upper and lower-case letters
  • Using a combination of letters, numbers, and symbols
  • Not using personal information in passwords such as birth dates
  • Never reusing passwords across accounts
  • Storing passwords securely

Adopt an Advanced Identity Management Solution.

Advanced identity management solutions can also help you prevent push-bombing attacks. They will typically combine all logins through a single sign-on solution. Users, then have just one login and MFA prompt to manage, rather than several.

Additionally, businesses can use identity management solutions to install contextual login policies. These enable a higher level of security by adding access enforcement flexibility. The system could automatically block login attempts outside a desired geographic area. It could also block logins during certain times or when other contextual factors aren’t met.

Implement Stronger MFA Protection

Push-bombing attacks target standard MFA implementations. Advanced identity management solutions from Microsoft 365 or third-party tools provide phishing-resistant MFA options including passkeys, hardware tokens, and number matching that eliminate push-bombing vulnerabilities.

Our cybersecurity consultants help Toronto businesses implement phishing-resistant MFA and identity management solutions that satisfy vendor security screening requirements.

Need help securing your authentication systems? Contact us to discuss MFA improvements.

Related Posts

Share This Post

Let's Talk About Your IT
Tell us what’s working, what’s not, and what’s keeping you up at night. We’ll tell you what we’d do about it.
Book A Call

Book A Discovery Call

Tell us about your IT challenges. Let’s discuss how TUCU might help.