MFA prompt bombing is an attack method used to bypass multi-factor authentication (MFA) security. This technique works by flooding users with MFA prompts to access a system, with the goal of finding a prompt that the user accepts.
MFA prompt bombing is an emerging cyber threat that organizations must understand and defend against. As multi-factor authentication has become more widely adopted to strengthen account security, threat actors have developed techniques to systematically target users with authentication requests in an attempt to gain access. Through repeated login prompts, hackers try to confuse or frustrate users into entering their credentials or approval into a malicious site or app.
This technique, known as MFA prompt bombing, allows attackers to bypass multi-factor authentication and gain access to sensitive accounts and data. Cybersecurity professionals and business leaders need awareness and education about this threat to protect their organizations. By understanding how MFA prompt bombing works and the strategies to mitigate risk, companies can avoid becoming victims of this increasingly common attack vector.
Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. MFA adds an extra layer of security to user sign-ins and transactions.
Traditional authentication methods rely on a single factor — typically a password. However, passwords can be stolen, guessed, or hacked. Through MFA, unauthorized access can be prevented by requiring more than just a password. This could be in the form of a security key, a code that is sent to a mobile device, or a biometric scan.
MFA protects against phishing, social engineering, and password-cracking attacks. Even if a hacker obtained a user’s password, they would still need the second authentication factor to gain access. This multi-pronged approach significantly reduces the risk of account compromise.
There are several types of MFA options:
MFA should be implemented for any system or application that contains sensitive data or funds to help reduce risks like account takeover and fraud. When set up properly, MFA is an effective control that enhances login security and protects user accounts.
MFA prompt bombing begins with an attacker gaining access to a user’s username and password. The attacker then uses automation to generate and submit a high volume of login attempts for the user’s account. Each login attempt triggers an MFA prompt, like a text message with a one-time code or an authentication app notification.
The attacker continues generating login attempts at a rapid pace until the user accepts an MFA prompt, whether intentionally or accidentally. Accepting a prompt gives the attacker the authentication code they need to access the user’s account. At this point, the attacker has bypassed MFA and has gained full access.
MFA prompt bombing preys on user psychology and limited human attention spans. When bombarded with a barrage of prompts in quick succession, a user is more likely to tap or enter a code without thinking in order to make the prompts stop. Even if the user realizes the mistake immediately, the attacker already has the access they need.
To defend against MFA prompt bombing, organizations should monitor for unusually high volumes of MFA prompts for a single user account. Prompt bombing also highlights the need for stronger authentication methods that are more difficult to bypass, such as FIDO2 security keys, biometric authentication, and risk-based MFA. By implementing adaptive MFA policies and robust authentication monitoring, companies can reduce the risks of prompt bombing and other MFA bypass techniques.
MFA prompt bombing attacks target users who have access to critical systems by attempting to overwhelm them with authentication requests. These brute force attacks aim to deny access to legitimate users by locking them out of accounts and systems.
Cybercriminals often employ botnets, networks of infected computers, to carry out MFA prompt bombing attacks. The bots are programmed to repeatedly attempt authentication to target systems using lists of stolen or guessed credentials. Due to the high volume of login attempts, the target MFA systems lock out accounts to prevent unauthorized access. However, this also blocks valid users from accessing their accounts.
Another common tactic used in MFA prompt bombing is credential stuffing. Hackers obtain lists of usernames and passwords from previous data breaches and leaks. They then stuff these credentials into the target system’s login page as quickly as possible. The repeated failed login attempts trigger the account lockout mechanisms, resulting in denial of service.
There are several methods organizations can employ to mitigate the threat of MFA prompt bombing:
MFA prompt bombing threatens organizations by denying users access to their accounts and systems. However, with vigilance and proper safeguards in place, the risks posed by these kinds of brute force attacks can be significantly mitigated. Continuous monitoring and adaptation to evolving threats is key.
To detect MFA prompt bombing, organizations should implement the following security measures:
Monitoring for an unusually high volume of failed login attempts, especially across multiple accounts or sources, can indicate MFA prompt bombing activity. Cybercriminals are likely to try different passwords and usernames in an attempt to guess correct credentials. Organizations should set thresholds to detect these anomalies and receive alerts when they occur.
Reviewing MFA prompts and user responses can uncover signs of MFA prompt bombing such as:
Analyzing virtual private network (VPN) logs and network activity can also reveal MFA prompt bombing. Things to look for include:
Organizations should implement additional identity security controls to reduce the risk of MFA prompt bombing like:
By maintaining vigilance and implementing a strong identity security strategy, organizations can detect and mitigate the threat of MFA prompt bombings. It is essential to implement a proactive security strategy across people, processes, and technology to fight off MFA prompt bombing attacks.
To prevent MFA prompt bombing, organizations should implement multi-factor authentication (MFA) across all internet-facing resources and user accounts. MFA adds an additional layer of security that requires not only a password but also another method of verification like a security code sent via text message or an authentication app. With MFA enabled, attackers using stolen credentials won’t succeed to gain access unless they also have access to the user’s phone or authentication device.
Some MFA options are more susceptible to prompt bombing than others. SMS text messaging and voice calls can be compromised, allowing attackers to intercept authentication codes. Hardware tokens and authentication apps provide a higher level of security. Security keys, like YubiKeys, offer the strongest protection and should be used for administrators and privileged accounts whenever possible.
Security teams should monitor user accounts, authentication requests for signs of prompt bombing attempts. Things like an unusually high number of MFA prompts in a short time span, MFA prompts originating from suspicious IP addresses, or reports of SMS or voice phishing messages claiming to be MFA codes can all indicate prompt bombing. Detected attacks should trigger an immediate password reset and review of the user’s account activity.
Educating users about MFA and prompt bombing helps reduce risk. Training should cover:
With the right controls and user education in place, organizations can reduce the threat of MFA prompt bombing and strengthen their users’ overall security hygiene. However, as with any cybersecurity defense, continued vigilance and regular reviews of new threats and mitigation techniques are required.
To prevent prompt bombing attacks, organizations should implement an MFA solution that uses dynamically generated one-time passcodes (OTPs) instead of SMS text messages. These solutions generate a new OTP each time a user logs in, so attackers cannot reuse codes to gain unauthorized access.
Hardware tokens, such as YubiKeys, generate OTPs that change with each login. Since the codes are generated on-device, attackers cannot intercept them via SMS or voice call. Hardware tokens offer a high level of security but may require an upfront investment to purchase the tokens. They also require users to carry an additional physical device, which some may find inconvenient.
Authenticator apps like Google Authenticator, Azure MFA, Silverfort, and Duo generate OTPs on the user’s phone without relying on SMS or voice calls. The OTPs change frequently and the apps do not transmit the codes over a network, so they are very difficult for attackers to intercept or reuse. Authenticator apps are a secure, convenient, and low-cost MFA solution for organizations on a budget. However, they still require users to have a device capable of running the mobile app.
Biometric authentication, such as fingerprint, face, or iris scanning, offers an MFA solution that is very resistant to prompt bombing and other cyber attacks. Biometrics are difficult for unauthorized users to replicate since they are based on the user’s physical characteristics. They are also very convenient for users since they do not require any additional devices or software. However, biometric systems typically require a sizable upfront investment to purchase the necessary scanning hardware and software. They may also raise privacy concerns for some.
MFA solutions that generate OTPs on-device, such as hardware tokens, authenticator apps, and biometrics, offer the strongest protection against prompt bombing and other automated attacks. Organizations should evaluate these options based on their security needs, budget, and user preferences. With the right MFA solution in place, prompt bombing can be effectively mitigated.
If your organization has been the victim of an MFA prompt bombing attack, it’s important to take the following actions to mitigate risks and prevent further damage:
Work with your security team to determine how many user accounts were targeted and compromised. Check for unauthorized logins and review account activity logs to identify accounts that were accessed. Determine what data or resources the attackers may have had access too. This investigation will help determine the severity of the incident and appropriate response.
For any account that was compromised, immediately reset passwords and MFA prompts. Generate strong, unique passwords for each account and enable MFA using an authenticator app rather than SMS text messages. Make sure users enable MFA on all accounts, not just the one that was compromised. Attackers often use access to one account to gain access to others.
Review your security policies and procedures assigned to each user to identify and fix any security gaps that contributed to the attack. For example, you may need to enforce stronger password policies, limit account login attempts, restrict account access based on location or IP address, or increase monitoring of account logins. Multi-factor authentication should be required for all accounts, especially admin accounts.
Closely monitor all accounts over the next several months for any signs of further unauthorized access or account takeover attempts. Attackers may continue to target accounts even after the initial compromise to maintain access. Continually check account login and activity logs to identify any anomalous behavior as early as possible.
For larger-scale attacks, contact local law enforcement and report the cybercrime. Provide every detail about the attack that could aid in an investigation. Law enforcement may also have additional recommendations on securing your network and accounts to prevent future attacks.
It is important to take prompt and thorough action in the event of an MFA prompt bombing attack in order to limit damage, secure your systems, and minimize the chances of further compromise. Monitoring and constant vigilance are necessary to protect against follow-up attacks by malicious actors following an attack. With quick response and collaboration, organizations can overcome MFA prompt bombing’s damaging impacts.
