Multi-factor solutions have become the ultimate in remote access security controls. Username and password combinations are not good enough due to password reuse, poor password choices, and phishing attacks.

In fact, multi-factor authentication is now a desirable security standard, and I’d be surprised if an organization didn’t have an MFA solution in place, if they weren’t fully attacked by ransomware, if they could get cyber insurance.

Well, if I tell you, I’ve observed through security data that see more than 4% or more of employees who may negate the value of MFA by accepting unsolicited push notifications – actually allowing malicious actors to bypass Provided control for the second factor?

That might not seem like much, but when combined with poor password choice, password reuse, or password spraying attacks, these numbers create a vulnerability large enough to be of major concern.

Why push?

Multi-factor authentication reduces threats to authorized access by requiring additional forms of authentication beyond the basic username/password combination. The plugin is usually in the form of a one-time password, delivered via fob, pre-generated list, SMS, email or USB token.

In a more secure environment, solutions exist that utilize certificates, fingerprints or smart cards. However, due in part to the increased availability, security, and ease of use of smartphone platforms, mobile push has become part of the MFA landscape, and according to Gartner, “50% of enterprises using mobile authentication by 2020 will adopt out-of-band Mobile push as the backbone of authentication”.

One reason push mobile authentication is considered a security option is because it is end-to-end encrypted, preventing data tampering. Additionally, because app-based push interactions are tied to a specific device, PIN or biometric authentication is required to accept pushes.

Another area where push notifications provide additional security benefits is that end users can detect and report fraudulent unsolicited requests. With proactive monitoring of fraud reports, security teams can be alerted when accounts are compromised and can act quickly.

Push vulnerability

While push notifications have some security advantages, there are still some inherent flaws that can be exploited or abused by those wishing to avoid processing being slowed down by MFA.

• Answers to app abuse. Those wishing to avoid interacting with 2FA solutions can use a similar app. These apps will impersonate or trick the app into thinking that someone answered a call or accepted a push.

• Delegate answering service. During the registration process, others can be inserted into the workflow and effectively delegated to approve 2FA pushes/calls. For example, significant others or the secretary can be asked to approve any request.

• Unsolicited answer. As we said initially, there are many people who will simply approve an unsolicited request. Like those who click on a phishing email link, this is an awareness opportunity for users to understand the potential consequences.

• Registration Contest Conditions. Depending on how the 2FA solution is rolled out, there may be users who never authenticate remotely and trigger the 2FA solution’s mobile registration. During this time, accounts are effectively unprotected, and complicating the issue, if accounts are compromised, attackers can get their own devices in as 2FA devices.

2 factor phush

How can we detect when someone implements automated tools to consistently accept 2FA pushes and/or help raise awareness of those users who may be accepting unsolicited 2FA pushes?

The answer lies in creating phishing awareness, or two-factor push phishing awareness.

In short, most enterprise-grade 2FA solutions have API integrations that allow third-party applications to take advantage of them. This allows organizations to create 2FA-protected experiences in SaaS solutions, RDP, security and networking appliances, and more. However, it is also possible to leverage this API to perform user testing/phishing.

With this technology, awareness programs can be expanded to include quarterly 2FA phush tests with close scrutiny of losers. While there will always be a few failures, repeated failures can be a strong sign of user negligence or auto-response.

On the positive side, with some notifications and activities around the drill, the innovative security team can even reward those who report an incident as “fraud,” a huge win when a real incident occurs.

Sprint Tips:

1. Target the most recent authentication to capture people during their active time. This will reduce issues related to off-hours employees and allow for more interactive follow-ups.

2. Establish positive awareness follow-ups to educate users and focus on getting them to report invalid pushes as fraudulent.

3. Use a dedicated API interface for the push activity and name it something close to a valid “application” so that the logs are separate but the view is similar to the valid push display.

4. Notify your security operations center and help desk before launching an attack campaign, and space out pushes so as not to have a huge impact on the help desk.

5. Consider aggregating your cyber attack activity by foreign IP addresses for additional end-user training points.

Useful API Tools

MFA solutions add tremendous value to reducing the risks associated with common username/password compromises. While there are many options, the push mobile out-of-band method is gaining popularity because it is generally safer, more user-friendly, and has feedback options for fraud reporting.

Still, there are loopholes, thanks to smart people looking to automate push interactions and users who simply accept unsolicited push requests.

Fortunately, most MFA providers are able to integrate via API, which allows security teams to create a phushing tool that can send fake push notifications to users to build awareness. This will provide security teams with the data they need to reduce the risks associated with push vulnerabilities.

Ultimately, are you sure your users aren’t phushovers without assurance activities designed to test and validate?

Seth Fogie is Director of Information Security at Penn Medicine.