Skip to content
Sleeping man being woken up by an MFA push notification being sent to his phone in the middle of the night.
How hackers are leveraging push notifications to bypass multi-factor authentication.

Prompt Bombing MFA

As multi-factor authentication continues to be prioritized for security, evolving ways of bypassing MFA are born.  Social engineering techniques are far from new, in fact, social engineering dates back to 1894 when Dutch industrialist J.C. Van Marken coined the term.

Social Engineering relies on confusing victims in order to gain entry to their accounts and comes in a variety of flavors from baiting, catfishing, and spear phishing.

Human Error has long been one of the most significant hurdles to overcome for security. In 2020 Gartner found that ¼ of all breaches occur due to human error. This is something that we saw in the Solarwinds attack, and have seen again as recently as the Microsoft and Okta breaches. How exactly are attackers doing this? The answer is by annoying you in the middle of the night with a frenzy of push notifications.

What is Prompt Bombing? 

Prompt Bombing is a form of social engineering that leverages annoyance, fear, and trickery to gain access to target accounts. These tactics were used in the infamous Solarwinds hack, and most recently were used to bypass Microsoft and Okta’s MFA last month.

The most common way prompt bombing has been used is to bombard targeted accounts with a ton of MFA push notifications, usually at a strategic time like the middle of the night. This strategy is designed to frustrate users who are already caught off guard in the hopes that they will approve an MFA challenge-response. Ultimately, this opens the door for hackers to register their own devices as the MFA of choice for future logins, which means unlimited access for the months it takes to plan a sophisticated attack. Lapsus$ and Russian-state threat actors such as Cozy Bear (the group behind the SolarWinds hack) have both successfully executed prompt bombing campaigns in the past several months.Screenshot from Lapsus$ chat

While hackers have found ways to leverage social engineering to bypass traditional MFA with prompt bombing, the good news is there are multi-factor authenticators out there that are resistant to these types of attacks!

Phishing-Resistant Multi-Factor Authentication

Password-based MFA cannot and will not stop phishing attacks. As social engineering becomes more advanced and more prevalent, it is imperative that we look at the technology and solutions being used to counter these attacks and act accordingly. As threats evolve, so must organizations' security posture. While traditional MFA does have its benefits, one-time passwords and push notifications are not going to suffice should a user be tricked into entering a website or approving a one-off MFA challenge.

Phishing-resistant MFA is one of the most integral components of cultivating a zero-trust architecture and was a featured topic in the OMB “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles” initiative that was introduced by the White House in January.

Twosense Continuous MFA 

“Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks.”

Integrating a phishing-proof MFA such as Twosense into an organization's security posture is one proactive way companies can protect themselves from potential attacks. Developed in partnership with the United States Department of Defense, Twosense uses machine learning to drive passive biometrics that can guarantee a user's identity continuously throughout the day. This approach is completely unphishable, as there are no keys or codes that can be handed to an attacker in the event of a phishing attempt. With 3 simple steps, admins can deploy MFA everywhere, on every app, all the time, while simultaneously reducing user friction and transitioning to phishing-resistant MFA.

More from the Blog

January 11, 2022

MFA Designed for Secure Call Center Facilities

Secure call center facilities face a unique and pressing challenge: maintaining PCI compliance by implementing identity...
June 23, 2022

Continuous Multi-Factor Authentication: The Future of MFA

Most people are familiar with the term multi-factor authentication, whether it be from setting up a social media...
July 14, 2022

MFA Now A Cyber-Insurance Requirement By Most Agencies To Qualify For Coverage

Compliance Plus While MFA has long been a recommendation by agencies for cyber insurance, many organizations are...

Sign Up for our Blog

We will never share your email address with third parties.