The use of Multifactor Authentication (MFA) has dramatically increased the protection of SUNY Brockport accounts (BITS). To authenticate using MFA, users are required to provide their password, and then complete an additional step. There are several options to choose from including receiving a code in a text message, a code from a phone app, or a push notification on a phone app. Of all the options, using push notifications is the easiest way. After entering a password, the user gets a confirmation prompt on their phone which they can click to get access.
As with anything easy and convenient, attackers have started manipulating the push notification process using a technique called “MFA Fatigue”. Organizations across the world have adopted MFA because password credentials have been difficult to protect (BleepingComputer). Attackers can use stolen passwords in order to initiate the push notification process hundreds of times. This results in users getting a frustrating amount of MFA prompts to their phone. Eventually they just click accept and allow the attackers into their accounts as demonstrated by Reformed IT. The most high-profile example of this was the recent Uber data breach. Using this simple technique attackers were able to gain administrative access to a large number of Uber systems (LMG Security).
This year Brockport has experienced several successful attacks involving unexpected or excessive MFA prompting against our community members. Following the recommendations of the Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft, BITS will be implementing the number matching requirement for our community members who have selected to utilize push notifications.
When an attacker enters a user password to initiate a prompt, they will receive a random number. The user will receive a confirmation prompt, just like in the past, but now the user will need that number from the attacker. Since the user doesn’t have it, they will be unable to accept the prompt (Microsoft). Number matching this way results in the prevention of unintentional user acceptance.
Number matching is one technique for prevention of these attacks. The computer and network security company, RSA, highlights that the first part of an MFA fatigue attack involves compromised users’ credentials. Protecting credentials also contributes to prevention of excessive and unexpected prompting (RSA). Even utilizing MFA, it is important to report unusual account activity and to reset passwords to secure accounts.
Account protections, including MFA, will continue to evolve as attackers change tactics and find success. It is important that we adapt as individuals and as an organization to ensure the protection of our campus community members, technology resources and the sensitive information we are entrusted with.
Need to report an IT security event or incident?
To report, please submit a ticket here: Report an IT Security Incident or call the IT Service Desk at (585) 395-5151 Option 1.