What is MFA Prompt Bombing ?

MFA prompt bombing is the concept of a low-complexity cyber-attack where the lone goal is to gain access to a system or application that is protected by MFA. The attackers will rely on human error to trick a user into accepting a multi-factor authentication (MFA) request. 

The most important factor of MFA prompt bombing for attackers is push-based authentication due to the simplicity that a user is one click away from approving an authentication request.

In a typical MFA prompt bombing attack, cybercriminals will send many MFA approval requests to a user over a short period hoping that the user will be annoyed by the numerous amounts of MFA requests and will give in and accept the authentication request and provide the attacker access.

No matter the annoyance created by MFA prompt bombing, a successful attack will provide the attacker access to accounts or the opportunity to run malicious code on a target system.

Common MFA Prompt Bombing Techniques

In most MFA prompt bombing attacks, the attacker will obtain the credential of their targeted user from common methods such as brute force attacks, getting them online or other common methods to compromise the credentials. Once the attacker has the compromised credentials, they will use one of the following to initiate an MFA prompt bombing attack.

  • Send several MFA prompts to annoy the target to accept one of the MFA requests 
  • Casually send an MFA request daily to avoid creating malicious activity or arousing suspicion from the target and detection by monitoring tools.
  • If the attacker is not using compromised credentials, they can run social engineering attacks. For example, sending an SMS or an email requesting the user credentials while pretending to be a colleague of the user.

MFA Prompt Bombing is on the Rise

Despite MFA prompt bombing being around for several years, attackers are only now deploying these methods of attacks at a more frequent pace. A recent example of a successful MFA prompt bombing was the Uber breach. The prompt bombing attack on Uber utilized MFA push notifications through a Duo authenticator app and issued multiple push notifications until the request was accepted.

While attackers will continue to deploy MFA prompt bombing techniques, organizations will struggle to fight off MFA prompt attacks as it bypasses standard MFA protection. This creates a major security gap for most organizations due to limited visibility into user activity and authentication requests they receive with standard MFA solutions.  

To learn more about how Silverfort helps organizations fight off MFA Prompt attacks, click here

Frequently Asked Questions

  • How does MFA prompt bombing work?

    MFA (multi-factor authentication) prompt bombing is a type of attack that aims to overload the authentication system by repeatedly sending authentication requests, resulting in a denial of service (DoS) attack.

    The attacker creates a script or bot that repeatedly sends MFA authentication requests to the target system, using either a valid or a spoofed user account. The script or bot can be configured to send requests at a high rate, resulting in a flood of requests that the authentication system is unable to handle.

    As a result, the system becomes overwhelmed, and legitimate users are unable to authenticate. The system might even crash, rendering it completely unavailable.

    Additionally, the attacker can use the same method with a large number of spoofed accounts, which can cause the system to lock the targeted user out, either temporarily or permanently. This is a type of account lockout attack.

    MFA prompt bombing can be a serious threat to the availability of systems that rely on MFA, and it highlights the importance of implementing robust security measures to protect against these types of attacks.

  • How can you mitigate MFA prompt bombing attacks?

    There are several ways to mitigate MFA prompt bombing attacks:

    1. Implement rate limiting: Rate limiting is a technique that limits the number of requests that can be made to a system within a specific time frame. This can be used to limit the number of MFA authentication requests that can be made, helping to prevent the system from being overwhelmed.
    2. Use CAPTCHA: A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a type of challenge-response test that can be used to ensure that requests are being made by humans and not bots.
    3. Use adaptive authentication: Adaptive authentication is a technique that adjusts the level of authentication based on the risk of the request. For example, if a request appears to be coming from a known bot or from an unusual location, the system can require additional authentication steps.
    4. Use security solutions: Security solutions such as intrusion detection and prevention systems, firewalls, and Web Application Firewalls (WAFs) can be used to detect and block MFA prompt bombing attacks.
    5. Monitor and analyze logs: Regularly monitoring and analyzing logs can help detect unusual patterns of activity, such as an abnormal number of authentication requests coming from a single IP address.
    6. Train employees: Train employees to recognize the signs of MFA prompt bombing and to report any suspicious activity to the IT department.

    It’s important to note that MFA prompt bombing is a form of DoS attack and is a highly sophisticated and advanced threat, so a combination of multiple security layers is needed to effectively protect against this type of attack.