Push Bombing and Multi-Factor Authorization (MFA) 

What is push bombing?

The Cybersecurity and Infrastructure Security Agency (CISA) describes push bombing as a situation where the user is bombarded with login push notifications until they hit the ‘accept’ button.

Multi-factor authentication (MFA) is the gold standard in offices worldwide. We all know the drill: you use your username (often, and inadvisably, your email address) and, perhaps, as the password, the name of your first dog and the last four digits of your social security number.

However, the user may not realize that hackers have developed many tried-and-true methods for accomplishing this, including social engineering attacks, spear phishing, and DDoS attacks. And there is another favorite tool hackers have at their disposal, and it relies on users being tired, frazzled, or annoyed enough to “cave in.” And who isn’t fatigued or frazzled in the final sprint to wrap up Q4 and holiday gifts? The technique hackers like to employ this time of year is called “push bombing.”

How Does Push-Bombing Work?

When users enable MFA on an account, they typically receive a code or authorization prompt of some type. The user enters their login credentials. Then, the system sends an authorization request to the user to complete their login.

The MFA code or approval request usually comes through a “push” message. Users can receive it in a few ways:

  • SMS/text
  • A device popup
  • An app notification

Receiving that notification is a normal part of the multi-factor authentication login. It’s something the user would be familiar with.

With push-bombing, hackers start with the user’s credentials. They may get them through phishing or a large data breach password dump.

They take advantage of that push notification process. Hackers attempt to log in many times. This sends the legitimate user several push notifications, one after the other.

Many people question the receipt of an unexpected code that they didn’t request. But when someone is bombarded with these, it can be easy to click to approve access mistakenly.

Ways to Combat Push-Bombing

Educate Employees

Knowledge is power. When a user experiences a push-bombing attack, it can be disruptive and confusing. If employees have education beforehand, they’ll be better prepared to defend themselves.

Let employees know what push-bombing is and how it works. Train them on what to do if they receive MFA notifications they didn’t request.

You should also give your staff a way to report these attacks. This enables your IT security team to alert other users. They can then also take steps to secure everyone’s login credentials.

Reduce Business Number of Apps

On average, employees use 36 different cloud-based services per day. That’s a lot of logins to keep up with. The more logins someone has to use, the greater the risk of a stolen password.

Take a look at how many applications your company uses. Look for ways to reduce app “sprawl” by consolidating. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Streamlining your cloud environment improves security and productivity.

Adopt Phishing-Resistant MFA Solutions

You can thwart push-bombing attacks by moving to a different form of MFA. Phishing-resistant MFA uses a device passkey or physical security key for authentication.

There is no push notification to approve with this type of authentication. This solution is more complex to set up but also more secure than text or app-based MFA.

Enforce Strong Password Policies

For hackers to send several push notifications, they need to have the user’s login. Enforcing strong password policies reduces the chance that a password will get breached.

Advanced Identity Management Solution

Advanced identity management solutions can also help you prevent push-bombing attacks. They will typically combine all logins through a single sign-on solution. Users then have just one login and MFA prompt to manage rather than several.

Additionally, businesses can use identity management solutions to install contextual login policies. These enable a higher level of security by adding access enforcement flexibility. The system could automatically block login attempts outside a desired geographic area. It could also block logins during certain times or when other contextual factors aren’t met.

Need Help Improving Your Identity & Access Security?

Multi-factor authentication alone isn’t enough. Companies need several layers of protection to reduce their risk of a cloud breach.

Are you looking for some help reinforcing your access security? Contact us today to schedule a consultation.