New Attacks Target Multi-Factor Authentication

Microsoft, Cisco and Uber are among the companies hit by this new threat…

An article review. 

As more organizations adopt multi-factor authentication to help safeguard their systems hackers have adapted, and several major corporations have been among those hit by this new style of attack.  This new technique, called MFA Fatigue or Push Spamming, involves sending numerous fraudulent push notifications to a target in the hopes that they will inadvertently accept one–and it has recently been seen at organizations including Microsoft, Cisco and Uber.

While avoiding these kinds of attacks can be as simple as not accepting unexpected push notifications, experts suggest disabling push notifications entirely.  If that is not possible, both Duo and Microsoft offer “verified push” options in their authenticators which require the user to match a number displayed on their screen with one in the push notification.  It should also be noted that a Push Spamming attack at Cloudflare was mitigated by their use of hardware security keys–though this technology may present compatibility issues with some services.  Finally, it is important to remember that while these attacks are concerning, a properly implemented multi-factor authentication system should still be considered an important part of securing your organization’s systems.

Original article by Lawrence Abrams writing for Bleeping Computer.