Part 1: The new attack vector – MFA Fatigue
The importance of MFA
With the huge shift to Cloud-based solutions over the past decade, the traditional corporate network perimeter – a big beefy firewall from the likes of Cisco or Palo Alto – now fails to protect the most vulnerable link in an organisation’s security – user identities. The once trusted domain password fails to cut the mustard once an identity has been exposed to the cloud, through identity platforms such as Azure Active Directory.
Following an exponential rise in phishing attacks between 2017 and 2019, identity providers such as Microsoft pleaded with their customers to enable multi-factor authentication (MFA), with the promise that doing so could prevent 99.9% of attacks. Requiring multiple ‘factors’ or ‘methods’ of authentication is nothing new and the principal has remained unchanged for over 20 years – RSA, SecurEnvoy and Swivel all bought MFA solutions to market way back in the early noughties. These factors can be grouped into three main categories, and any MFA solution should span at least two of these.
- Something you know (such as a password)
- Something you have (such as a corporate-owned device or MFA code)
- Something you are (such as a fingerprint)
Organisations took heed of Microsoft’s advice and swiftly deployed Azure MFA, but most ignored the founding principal above, and simply required Azure MFA for every authentication attempt. They overlooked the fact that an end-user authenticating with their password from a trusted, corporate device, was already satisfying the MFA principal – their corporate device was fulfilling the ‘Something you have’ requirement. The result is excessive MFA prompts, often at numerous points throughout the working day, a poor end-user experience, and the onset of MFA Fatigue.
What is MFA Fatigue?
Human behaviour teaches us that when someone is prompted to repeat the same behaviour excessively, they begin to do so almost autonomously and without thought. Attackers have begun to exploit this fatigue, relying on users to simply approve MFA push notifications without giving thought as to the source of the annoying prompt presented to them.
So, in the cat and mouse game that is cybersecurity, how have identity providers such as Microsoft responded to this emerging threat? Strengthening the push notification approval process, of course!
A simple ‘Approve’ action from a Push Notification is no longer appropriate for the reasons we’ve explained above. To avoid users unwittingly falling victim to MFA fatigue, they will instead be prompted to type a number into the Authenticator app, which matches that displayed on the sign-in screen. This has become such a critical security feature that Microsoft will begin enabling this for tenants starting next month (Feb 2023). If you haven’t already done so, it is strongly recommended that organisations begin piloting this feature now and prepare their users for this upcoming change.
Additional Authentication Context
To further reduce the likelihood of an accidental approval, organisations can optionally enable Application and Geographic Location details within the push notification, providing greater context of any sign-in attempt.
With the impending Number Matching feature, you’d be forgiven for thinking that Microsoft are coming to your rescue and your user identities will once again be safe from the bad guys, but unfortunately number matching only solves half the problem. Whilst number matching helps combat MFA fatigue, it doesn’t make Azure MFA entirely phish-resistant.
Intelligence shows that pass-the-cookie and phone-based phishing attacks are on the rise. Alarmingly, both these methods would still be successful irrespective of number matching. So how do the identity experts propose that we respond to these emerging threats? Well, for that you’ll need to stay tuned for Part 2: Phishing-Resistant Authentication.
Need support? As a longstanding Microsoft Partner with Modern Work and Infrastructure (Azure) Designations, Advanced are best placed to help your business make the most out of your technology investments and achieve your objectives. Simply get in touch today if you’d like advice or help getting started.