In the wake of recent high-profile security breaches, companies are investing heavily in robust Identity Providers (IdPs) and multi-factor authentication (MFA) solutions. However, these investments can be undermined by a phenomenon known as MFA Fatigue. Attackers exploit human psychology to bypass MFA by overwhelming users with repeated authentication prompts, leading to compromised accounts. This became urgent because traditional MFA methods like simple “Approve/Deny” buttons are no longer sufficient to protect against sophisticated attacks.

The Mechanics: Prompt Bombing

MFA Fatigue, also known as Prompt Bombing, is a prevalent attack vector used by threat actors such as Lapsus$ and Scattered Spider. These attackers typically start with stolen credentials, often purchased on darknet markets or obtained through phishing attacks. Once they have a valid username and password, the only barrier to entry is the MFA prompt.

How It Works

1. Credential Acquisition: Attackers acquire valid credentials through various means, such as phishing or credential stuffing.
2. Prompt Bombing: They script the login portal to send multiple MFA prompts in quick succession. This creates a flood of notifications, overwhelming the user.
3. Exploiting Human Psychology: Exhausted and frustrated, users are more likely to approve any prompt without verifying its legitimacy.
4. Session Token Capture: Once the user approves the prompt, the attacker captures the session token and gains unauthorized access.

Real-World Example

Imagine Kevin in Sales receives his password scraped by an infostealer. At 2:14 AM, his phone buzzes. He ignores it. By 2:15 AM, his phone buzzes 30 more times. Tired and annoyed, Kevin eventually approves the prompt without checking its validity. The attacker now has access to Kevin’s account and, potentially, the entire corporate network.

The Fix: Kill the “Approve” Button

Relying on a simple “Approve/Deny” button for MFA is fundamentally flawed. Instead, organizations should enforce more robust verification methods.

Number Matching

Number Matching is a more secure approach where the login screen displays a randomly generated 2-digit number. The user must open their authenticator app and manually type this specific number. This method ensures that the user is actively verifying the request, not just approving it blindly.

Advantages:

• Active Verification: Users must actively engage with the prompt, reducing the chance of accidental approval.
• Human Factor Mitigation: Even if the user is tired, they must perform an additional step to approve the request.

FIDO2 Hardware Keys

For highly privileged accounts (such as Domain Admins and Global Admins), phone-based MFA should be deprecated in favor of FIDO2 hardware keys, like YubiKeys. FIDO2 keys are cryptographically bound to the TLS session and the specific domain being accessed, making them resistant to phishing attacks.

Advantages:

• Phishing Resistance: FIDO2 keys cannot be tricked by phishing attempts, as they are tied to the specific domain.
• Strong Cryptography: The cryptographic binding ensures that the key can only be used for legitimate purposes.

The Code & Config

Implementing these fixes requires configuring your IdP correctly. Let’s take a look at how to enforce Number Matching using Microsoft Entra ID (formerly Azure AD).

Enforce Number Matching via MS Graph API

Microsoft Entra ID now defaults to Number Matching, but legacy policies might override this setting. To ensure strict enforcement, you can use the Microsoft Graph API to update the authentication method configuration.

// PATCH https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator
{
  "state": "enabled",
  "numberMatchingRequired": true,
  "includeTargets": [
    {
      "targetType": "group",
      "id": "your-group-id",
      "isRegistrationRequired": false
    }
  ]
}

Explanation:

• state: Enables the Microsoft Authenticator.
• numberMatchingRequired: Ensures that Number Matching is enforced.
• includeTargets: Specifies the groups or users to which this policy applies.

Additional Configuration

You can also enhance security by displaying application context and geographic location in the MFA prompt. This provides additional verification points for the user.

// PATCH https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator
{
  "state": "enabled",
  "numberMatchingRequired": true,
  "displayAppContext": true,
  "displayLocationContext": true,
  "includeTargets": [
    {
      "targetType": "group",
      "id": "your-group-id",
      "isRegistrationRequired": false
    }
  ]
}

Explanation:

• displayAppContext: Shows the application name in the MFA prompt.
• displayLocationContext: Displays the location of the login attempt.

Key Takeaways

• MFA Fatigue is a serious threat: Traditional MFA methods like “Approve/Deny” buttons are vulnerable to human error.
• Enforce Number Matching: Implementing Number Matching reduces the risk of accidental approvals.
• Use FIDO2 Hardware Keys: For highly privileged accounts, FIDO2 keys provide stronger security and resistance to phishing attacks.
• Regularly update configurations: Ensure your IdP settings align with best practices to protect against evolving threats.

Conclusion

Protecting your organization from MFA Fatigue requires a proactive approach to security. By enforcing Number Matching and using FIDO2 hardware keys, you can significantly reduce the risk of unauthorized access. Stay vigilant and continuously improve your security posture to safeguard your organization against evolving threats.