Skip to content
Prompt bombing is not going away, and the time to protect your organization is now.

Can You Defend Against MFA Fatigue?

How It Happens

Last week Cisco released a security indecent statement and accompanying blog about a breach that occurred in late May where non-sensitive data was stolen. The initial attack was focused on an employee's personal google account, where their credentials were stored via a password manager.

Like many of the recent breaches we have seen, threat actors used an increasingly popular method to bypass the MFA once the employee’s credentials were obtained. Prompt bombing, sometimes called MFA fatigue, is when threat actors deploy countless push notifications to the target mobile device. Prompt bombing relies on annoyance and inconvenience. The attackers hope that the high volume of push notifications at a time when the target is asleep will trick them into approving an MFA push notification or accidentally doing so by trying to silence their device. 

Once the attackers bypass the MFA, the most common next step is enrolling new devices for MFA, which is precisely what they did in this situation. They also deployed a variety of post-exploitation tools. 

Human Error Is Inevitable 

As a form of social engineering, prompt bombing is a difficult tactic to defend against. Research and past breaches both show that human error is one of the most significant hurdles for an organization to overcome. Roughly ¼ of all data breaches can be attributed to user error.

There is no malice on the user's part; that’s why prompt bombing is so insidious. We can all understand the target's urgency to end the bombardment of dings and the repeated light-up of their phone in the middle of the night.

So, how do you defend against an assailant in the middle of the night? 

Phishing-Resistant Passive Biometrics 

A tale as old as, well, MFA. Mobile-based multi-factor authentication solutions will not stop phishing attacks. As MFA becomes increasingly adopted, threat actors will become more and more determined to find ways to bypass it.

As we have mentioned in previous blogs, phishing-resistant MFA is one of the most integral components of creating a truly zero-trust architecture. This framework was heavily advocated for in January by the White House in an OMB memo, “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles.”

Twosense MFA products are built on zero trust principles and are unique because the user does not actively participate in the MFA challenge. Both products, Passive MFA and Continuous MFA use machine learning to drive passive biometrics, which completes the authentication process. Biometric factors are unique to each individual user, making them impossible to fake. This approach is completely phishing-resistant because there are no keys or codes that can be handed to an attacker in the event of a phishing attempt.

For organizations looking for even more security beyond the possibility of threat actors bypassing MFA, the Continuous MFA product can also detect a malicious user within one minute should they remote into a machine with the Twosense agent installed. 

As attackers continue to find new ways to circumvent security measures, it is crucial that organizations stay one step ahead. With 3 simple steps, admins can deploy MFA everywhere, on every app, all the time, and help safeguard themselves against attacks such as these.

Schedule your demo with our team here.

More from the Blog

August 7, 2020

Garmin one of the latest companies to be hit by increasing ransomware attacks

Garmin was recently the victim of a WastedLocker ransomware attack that took a majority of its systems offline....
October 3, 2022

Twosense Protects Against Credential Stuffing and MFA Fatigue

Credential stuffing is increasing at a record pace. According to Okta’s State of Secure Identity Report, 2022 has...
May 28, 2024

The 5 Security Threats Facing BPO Contact Centers

Fraud and insider security threats are just the tip of the iceberg for Business Process Outsourcing (BPO)...

Subscribe Here

We will never share your email address with third parties.