Last month, the BBC’s Joe Tidy described how cybercriminals had been in contact attempting to persuade him to hand over sensitive BBC log in details for money. After some back and forth, the criminals began flooding his phone with Multi-factor authentication (MFA) notifications in a tactic known as “MFA bombing”. Joe described how attackers bombard a victim with pop ups attempting to reset a password or login from an unusual device. Eventually the victim presses accept either by mistake or to make the pop-ups go away.
Why MFA?
MFA is a highly common security practice to verify log-in attempts are legitimate, requiring users to verify their identity using two or more independent factors such as a password, a phone code, or a fingerprint to access an account or system. With MFA bombing, attackers first obtain your username and password through methods like phishing or buying leaked credentials on the dark web. Once they have login details, they use automated tools to trigger a flood of MFA approval requests to their target’s phone or other devices. The constant barrage of notifications causes “MFA fatigue”: frustration that makes people more likely to accidentally approve a fraudulent request just to stop the prompts. In some sophisticated attacks, hackers may also call or message their targets, pretending to be IT support to pressure them into approving the login.
How Attackers are Using MFA Bombing Tactics
MFA bombing has been increasingly leveraged in high profile cyber attacks and the Scattered Spider access broker group are believed to have used it when they attacked Marks and Spencer earlier this year. Attackers also used the tactic in the 2022 Uber hack when they obtained a contractor’s credentials and used them to log in repeatedly, which triggered a high volume of MFA push notifications. Although the contractor initially denied the requests, the attackers then called the contractor, posing as tech support, and convinced them to approve the prompt, leading to unauthorised access.
Phishing-Resistant MFA
The problem is, MFA is still the most reliable method we have for authentication. But how do we prevent it from being abused? Phishing-resistant MFA is an advanced security method that uses cryptography to stop attackers from stealing or intercepting login credentials, even if they trick someone into entering them on a fake website. Phishing-resistant MFA moves beyond traditional, phishable methods like SMS codes or push notifications – all susceptible to MFA bombing. There are three main options:
FIDO2 cryptographic passkeys where the private key stays securely on your device, while the public key is registered with the service. Because these cryptographic keys are bound to the legitimate website or app domain, even if a user is tricked by a fake login page, their device won’t complete the authentication because the domain doesn’t match the one the passkey was created for.
PIVCAC Smart Cards, typically used by governments, use Public Key Infrastructure (PKI) in a physical smart card that stores a cryptographic certificate. You insert the card into a reader and enter a PIN to authenticate. By using cryptographic certificates stored on the physical card to authenticate directly with the legitimate system, credentials are never typed or transmitted in a way that can be intercepted or stolen by a fake or malicious website.
Certificate-Based Authentication also uses PKI to install a digital certificate directly on a device (like a laptop or smartphone) that presents this certificate to the service to prove its identity cryptographically. This method eliminates passwords and ensures authentication only occurs with the correct, verified domain.
How to Avoid MFA Fatigue
In addition to phishing resistant MFA, users can follow this advice to prevent MFA fatigue causing them to accept a fraudulent notification:
- Switch to One-Time Passcodes (OTP) from authenticator apps, which are less susceptible to bombing than “Approve/Deny” push notifications.
- Use the strongest authentication methods available, such as FIDO2 security keys or biometrics (fingerprint or facial recognition) that are harder for attackers to bypass.
- Risk-Based or Adaptive MFA analyse login context (location, device, time) and can automatically block suspicious attempts that deviate from the norm.
- Configure systems to automatically lock an account or require manual admin intervention after a certain number of failed MFA attempts.
- Use strong, unique passwords and a password manager. Since MFA bombing requires your password first, strong passwords are a critical first line of defence
- Only approve login requests that you initiated yourself. If you receive an unexpected prompt, deny it and report it to your IT department immediately.
MFA is still the best defence we have against attackers looking to leverage stolen credentials to log into systems. However, we need to remain vigilant as they continue to explore the possibilities to circumvent our protections. For organisations implementing MFA, they need to ensure that it is frictionless and fits the user experience so it becomes part of a wider security awareness strategy rather than something users accept and ignore.
Join our LinkedIn group Information Security Community!
