05 May 2023

Stuart Wells,
CTO, Jumio

Dating back to the mid-1990s with the inception of phishing, hackers have long employed the use of social engineering attacks for credential access and network breaches. Today’s hackers, however, aren’t hunting their next victims in AOL chat rooms. Instead, they’re right beneath our fingertips, spamming users into approving push notifications and sign-in attempts that grant outsiders inside access.

The increasing use of multifactor authentication (MFA) has been a crucial step in ensuring the security of our digital lives. However, as more systems and applications require MFA, the problem of ‘MFA fatigue’ among users has become more prevalent. This can lead to frustration and decreased security when users are repeatedly prompted to provide additional forms of authentication.

MFA and its drawbacks
With a tactic called ‘prompt bombing,’ MFA fatigue can lead to a scenario in which an attacker floods a user’s device with MFA prompts to overwhelm and trick the user into providing their credentials or biometric data.

Prominent organisations such as Microsoft and Cisco have faced significant data breaches because of this tactic and in 2022, Uber faced a data breach in which hackers gained access to internal systems, including the company’s Slack channel via this method. The breach is believed to have occurred after an Uber contractor’s personal device was infected with malware, exposing their login credentials. The attacker repeatedly tried to access the contractor’s Uber account but was initially blocked by two-factor authentication. Eventually, the contractor gave in to MFA fatigue and accepted one of the log-in approvals, allowing the attacker access.

What’s more, MFA can become less effective over time as attackers become more sophisticated. Hackers can employ phishing techniques to trick users into providing their credentials, even when MFA is in place. These advances make it essential for organisations to stay up to date on the latest security threats and to continuously evaluate and update their security measures. To combat this issue, a new approach is necessary.

Smoothing friction with passwordless authentication and facial recognition
Friction in the user experience is a significant element in cases of MFA fatigue. An effective solution that tackles this component is using passwordless authentication with facial recognition technology. This method eliminates the need for users to remember and enter complex passwords, instead relying on biometric scans or device-based authentication. This can reduce the number of steps required to log into an account, making the process faster and less frustrating for users.
Biometric technology not only improves the user experience but also makes it more difficult for attackers to gain access to accounts through stolen credentials. Facial recognition provides an additional layer of security as it is difficult for attackers to replicate a user’s unique facial features, bolstering the protection provided by MFA.

Artificial intelligence, machine learning and adaptive authentication
Facial recognition solutions that utilise artificial intelligence (AI) and machine learning (ML) can significantly improve the accuracy and speed of verification. This can help to improve productivity and reduce costs for the organisation. AI and ML can be used post-authentication to verify a user’s identity by analysing their behaviour patterns. These models can detect unusual patterns in typing and mouse usage and can be used to prevent malicious activity.

Implementing adaptive authentication, which adjusts the level of security required for a given transaction based on the user’s behaviour, device, location, and other factors is an additional strategy. For example, if a user is logging in from a trusted device or location, the system may only require a single factor of authentication. But if the user is logging in from an unknown device or location, the system may require multiple factors of authentication. This approach can help to balance security and convenience for the user, making it less likely for them to fall foul of MFA fatigue.

Moreover, push notifications which display varying levels of information can be used as a method of authentication. To combat fatigue and make users more aware of possible attacks, notifications can be designed to prominently display the location of the user attempting to access the account. The user is then more aware of any discrepancies and is less likely to grant access inadvertently.

User education
In addition to the above solutions, organisations should also educate their users about the importance of strong security and the risks of MFA fatigue. The Uber incident emphasises the need for not only robust security measures, but also making sure that individuals are aware of potential vulnerabilities and avoid complacency. This can include providing training on how to recognise and avoid phishing attempts, as well as encouraging users to report suspicious activity. Ultimately, this individual training will go toward reducing the systemic risk of data breaches and other security incidents.

MFA fatigue and prompt bombing are significant issues that can have a major impact on security for individuals and organisations. However, by pursuing the aforementioned tactics, businesses can improve their user experience while strengthening their security posture.