How MFA is Bypassed: MFA Fatigue Attacks


Hi, I'm Joshua from Beyond Identity, and we need to talk about social engineering attacks against MFA, specifically push fatigue attacks because this is the most popular MFA bypass strategy we are seeing in the headlines today. The reality is that obtaining corporate credentials, usernames and passwords is easy for threat actors.

They can use various methods including phishing attacks, malware, lead credentials from data breaches or purchasing them on the dark web marketplaces. Companies frequently deploy push-based MFA to help bolster their weak password defenses. When a user logs in using push based MFA, they receive a push notification to a second device, usually their phone, asking them if they are in fact attempting to log in. A user clicks accept or approve on the push notification and the login is successful. A push fatigue attack occurs when a threat actor runs a script that attempts to log in with a stolen username and password over and over causing an endless stream of MFA push requests to be sent to the account owner's mobile device.

Ultimately, the target gets so overwhelmed or caught off guard that they accidentally click on the approved button to stop the deluge of notifications they were receiving on their phone. And the threat actor now has access. The MFA has been bypassed.

CISA, the cybersecurity and infrastructure security agency has consistently urged organizations to implement MFA for all users and for all services. However, they insist not all forms of MFA are equally secure. As you can see with push-based MFA, it can still be easily bypassed. As a result, CISA's new guidance emphasizes the need for phishing resistant MFA that does not utilize push notifications.

This type of attack is impossible with Beyond Identity. First, there are no passwords. Beyond Identity replaces weak passwords with a public private pass key pairing with a private key being stored on a user's device in the TPM. Since this key is never shared, it can't be phished or leaked in a database. Second, Beyond Identity does not use any phishable factors for a second factor. No text messages, no push notifications, no email links, nothing.

Instead, we opt for a locally stored biometric or pin number on a user's device. This cuts out the potential for a second factor to be phished or for an attacker to spam a user to approve their access. And lastly, Beyond Identity's crowning achievement is our robust device security posture capabilities and continuous authentication.

With Beyond Identity, you can set a list of security policies a device must meet for authentication to be approved. Things like if a firewall is enabled what software version is running, and when and where a user is logging in from. If a device does not meet these policies, the authentication will be unsuccessful and you can even remotely quarantine that device. And while a user is in a session, Beyond Identity can automatically check that the device remains in these policies as frequently as every 10 minutes, re-validating a user in the background without any added friction to them, a truly invisible continuous authentication experience.

With Beyond Identity, you are always verifying and never trusting. Let us take on your burden of authentication and help you lay down your foundation for your zero trust architecture.