Original Article

Mobile push is the workforce user’s favourite type of MFA. At its best, it streamlines user access, confirming a second factor of what you have out-of-band from the web apps, corporate apps, or desktops being accessed. At its worst, this convenient mechanism is an easy path for attackers to trick us into helping hackers breach our corporate defences.

This is because, push MFA’s weakness is people; human nature. Infuriating push bombing attacks flood unsuspecting victims with fraudulent requests, and when the user complies, it wipes out any security gains we hoped to gain from MFA…

The Cyber Hut Comment: MFA is everywhere. Or should be. SDO describe an interesting issue that is arising with the use of mobile push as a possession factor. the push bombing approach is triggered by an adversary using a public login page with a target user’s known identity - and ideally their password too if that is needed before the MFA push is sent. This can be automated of course if an adversary has access to a large credential breach. Essentially though, the end user receives either one or multiple push notifications and responds affirmatively - without really know that they are confirming too - allowing the adversary to complete the authentication request, create a session and gain access. The attack is described by MITRE ATT&CK as an MFA Request Generation Attack.