Following the news that:
Here’s how attackers are circumventing Microsoft’s multi-factor authentication
Here’s how attackers are circumventing Microsoft’s multi-factor authentication – OnMSFT.com
Following the news that:
Here’s how attackers are circumventing Microsoft’s multi-factor authentication
Here’s how attackers are circumventing Microsoft’s multi-factor authentication – OnMSFT.com
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Circumventing MFA altogether can be highly effective. In this case the attacker is simply taking advantage of the confusion that normally follows any policy change. It’s perfectly timed – users are confused and they’re unaware of what is expected of them.
User confusion and expectations also enable another attack mentioned – Push Fatigue. You might wonder why a user would respond to a push notification they didn’t initiate, but they do. Sooner or later, given enough attempts some users will simply press “ok” because they have given up understanding what’s being asked of them, they’re tired and don’t care any-more.
It’s a clear reason why we need to minimise the number of steps to authenticate. Every step introduces the chance of user failure, system failure and attack. Keep it simple, keep it one step.