{"id":71051,"date":"2023-04-12T14:53:10","date_gmt":"2023-04-12T18:53:10","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=71051"},"modified":"2023-08-30T09:45:01","modified_gmt":"2023-08-30T13:45:01","slug":"push-bombing-mfa-fatigue","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/push-bombing-mfa-fatigue","title":{"rendered":"How to Avoid Account Takeover Risks from Push Bombing and MFA Fatigue Attacks"},"content":{"rendered":"\n

Organizations turn on multi-factor authentication (MFA)<\/a> to secure access to corporate resources and increase their security posture. <\/p>\n\n\n\n

IT admins like using push notifications MFA for several reasons. Since most users have smartphones in their pockets at all times, push notifications offer minimal user friction. They are also ubiquitous (admins can enable them across different kinds of resources and endpoints unlike other methods) and offer security against \u201cman in the middle\u201d attacks. <\/p>\n\n\n\n

Recently, this trusted security measure has been facing a new kind of attack known as push bombing<\/em> or MFA fatigue<\/em>. Keep reading to learn more about how to reduce your risk.<\/p>\n\n\n\n

What Is Push Bombing and MFA Fatigue?<\/h2>\n\n\n\n

When an organization uses push MFA, the user is required to approve the login or access request sent to their personal device in the form of a push notification. This is just one way (of many) to verify the user\u2019s identity, but preferred given its UX benefits.<\/p>\n\n\n\n

Push bombing is a method where an attacker uses a script or a bot to trigger multiple login attempts with stolen or leaked credentials and trigger a SPAM of multiple push notifications to the user\u2019s mobile device. <\/p>\n\n\n\n

Here\u2019s how it works: <\/p>\n\n\n\n

    \n
  1. An attacker repeatedly sends a user endless push notification streams with the intent to exacerbate them into accidentally approving the prompt. <\/li>\n\n\n\n
  2. Understandably, the user feels a sense of fatigue, and it\u2019s easy to make mistakes out of frustration. They accept the prompt.<\/em><\/li>\n\n\n\n
  3. Unfortunately, the trick works extremely well for account take over and breaches. The attacker now has access to the account in question.<\/em> <\/li>\n<\/ol>\n\n\n\n

    Alternatively, an attacker may also contact the user impersonating as an IT admin and convince them to approve the login attempt.<\/p>\n\n\n\n

    How JumpCloud Protect Helps Admins Combat Attacks <\/h2>\n\n\n\n

    Stronger Password Policy<\/h3>\n\n\n\n

    Push attempts are triggered after an attacker gains access to a user’s password. The weaker the password the more likely an attacker is to obtain it through brute force and social engineering techniques. <\/p>\n\n\n\n

    IT admins can use JumpCloud\u2019s password settings to adopt a stronger password policy that meets the following requirements:<\/p>\n\n\n\n