For many organizations, multi-factor authentication—or MFA—is the first line of defense against the chance that an employee’s credentials have been compromised. If one of those credentials is compromised, the unauthorized user will fail subsequent tests and be blocked from spaces both physical and digital. Organizations do not usually create this system and instead rely on products like Cisco Duo to manage MFA for them.
Remember that multi-factor authentication is based on the rules of authentication: Something you know (your password), something you have (your cell phone or mobile device), and/or something you are (like your fingerprint or other biometric). Ideally, if you can’t provide or authenticate through one of these as required, your access request is denied. At the same time, a single one of these items that is stolen or compromised should not permit unauthorized entry into company systems.
MFA is a critical piece of other security measures, like zero trust networks. Read more: Zero Trust Networks (ZTN): what are they and how do I implement one?
Flaws can emerge in any good process. In this case, the weakness is MFA fatigue, which can be a real problem for companies trying to improve their cybersecurity programs. Several corporate breaches have occurred due to an employee approving an MFA request despite the fact that they are not actively authenticating into an application or computer system. The threat actor or criminal attacker can attempt to bypass MFA by first repeatedly sending SMS text messages or Authenticator push requests to a compromised account where the attacker knows the username and password.
Duo, probably the most popular MFA vendor, has provided Duo Push for years as a secure method for authentication. Attackers exploit Duo Push from a social engineering perspective, repeatedly sending requests that eventually coerce the end user into approving an illegitimate request. The attacker is counting on the fact that the end user will approve one of the authentication requests to make the requests stop. This attack exploits a weakness of human nature—giving in when fatigued—to bypass the MFA security control. In response, MFA vendors have come up with some very interesting approaches to counteract this weakness in MFA.
Duo Push requires equal effort for the end user to approve or deny the transaction. If you are faced with a dozen or more push requests and denying each one keeps presenting another push challenge, eventually the end user—who is becoming irritated seeing this over and over—is going to press “approve” to see if they get a different outcome. After all, one of the definitions of insanity is doing the same thing over and over again but expecting a different outcome.
To combat this, Duo has released the Verified Push feature, which is currently in public preview and will be available to all license levels of Duo. This is a helpful feature and one I think any Duo customer should consider testing, if not deploying.
Instead of just allowing an “approve” or “deny” single tap response characteristic of MFA, Duo Verified Push requires the end user to enter a three-digit code that pops up on their phone screen as part of a push notification in order to approve the authentication request. The end user must take an action and actively participate in the approval process by entering the three digit code. Incidentally, you can increase the code from three to up to six digits.
I think this approach will work because we are all being trained to be more suspicious. Imagine the attacker sends multiple MFA requests hoping to fatigue an end user who is configured for and expecting verified pushes. The actual legitimate user must enter the three-digit code on one of those requests in order to approve the request. What’s more, it takes less effort for the legitimate end user to deny the fraudulent requests if they know they are not currently trying to access an application. If you are being harassed with pushes, why would you make the extra effort to enter in the code? Your security team can also follow up with training that under no circumstances should an end user enter the code unless they are actively authenticating to an application, device, or operating system. That can actually be laid out in the acceptable use policy for your organization along with threat of termination for violation.
Read up on other critical security training your organization needs now: The value of phishing simulation in a strong security program.
One step up from verified push is Risk-Based Authentication (RBA) from Duo, another new feature in public preview right now that is part of their arsenal to address MFA fatigue and continuous trusted access. Unlike Verified Push, the RBA feature will not be available in all Duo offerings, which has three feature license tiers: MFA, Access, and Beyond. You’ll find the RBA feature only in the higher level Access and Beyond license tiers.
RBA takes a different approach to MFA fatigue. RBA changes the acceptable authentication methods based on the perceived risk at that point in time for that account. For example, RBA can step up the MFA requirement to a Duo Verified Push if multiple standard Duo Pushes are being denied, which indicates that an attacker is trying to fatigue an end user into supplying an approval.
RBA also now leverages enhancements in Remembered Devices to determine changes in risk. For instance, if a user turns on their corporate issued device while within the office walls the Remembered Devices policy in Duo would generate a secure device token that allows that user seamless access in that office environment. If the user then accessing those same resources remotely, Duo would detect the location change and require the device re-authenticate. Subsequently, if that location has never been seen before, Duo could force a Duo Verified Push and over time learn the user behavior of successful logins. RBA then eliminates the need to use more aggressive verification methods until the next high-risk authentication request is received.
Duo supports a large number of authentication types. Secure authentication types available in RBA include Duo Verified Push, WebAuthn security key, a platform authenticator such as Touch ID, or an OTP (one-time password). RBA allows you to determine which authentication methods are acceptable once Duo has identified a specific MFA request with more associated risk than a standard MFA login, overcoming weakness in human nature with a process that attackers can’t plan for. RBA is a welcome addition to balance more aggressive authentication method requirements with end user ease of authenticating. It only steps up the requirements when a risk is perceived, which addresses potential pushback from the user community if more aggressive methods were standard authentication mechanisms.
Get more information on RBA, including RBA’s enhanced Remembered Devices functionality: https://duo.com/docs/risk-based-auth
If you are a Duo customer, the CBTS security team would be happy to consult with you how to best implement these Duo features and fight the MFA fatigue that is likely growing among your users. If you are looking for an MFA solution, then you definitely need to consider Duo. CBTS would love the opportunity to show you how it works and recommend other managed security services.