Understanding

Understanding

Understanding

MFA Fatigue

MFA Fatigue

MFA Fatigue

A single accepted MFA prompt led to one of the biggest data breaches at Uber.

A single accepted MFA prompt led to one of the biggest data breaches at Uber.

A single accepted MFA prompt led to one of the biggest data breaches at Uber.

Multi-factor Fatigue (MFA) fatigue attacks, also known as MFA bombing or prompt bombing, exploit human psychology rather than technical vulnerabilities. Attackers combine stolen credentials with persistent MFA notification spam, wearing down users until they accept a prompt just to make the notifications stop.

Methods

Methods

Methods

Exploit Techniques

The attacker triggers unanticipated MFA prompts to the user's device. Potentially after phishing the credentials.

The victim becomes overwhelmed by notifications or accepts the prompt out of habit

The victim becomes overwhelmed by notifications or accepts the prompt out of habit

The victim becomes overwhelmed by notifications or accepts the prompt out of habit

Under pressure or fatigue, the user accepts to stop the bombardment

Attackers gain full system access

Attackers gain full system access

Attackers gain full system access

Why Traditional Defenses Fall Short

Why Traditional Defenses Fall Short

Why Traditional Defenses Fall Short

This attack works because:

  • Possession of the username and password is sufficient to initiate an MFA prompt

  • The request can be initiated from any browser

  • There is not correlation between the location of the user/phone and the origin of the request


While anomaly detection techniques can help, they are ultimately just raising the bar, not fixing the root problem.

This attack works because:

  • Possession of the username and password is sufficient to initiate an MFA prompt

  • The request can be initiated from any browser

  • There is not correlation between the location of the user/phone and the origin of the request


While anomaly detection techniques can help, they are ultimately just raising the bar, not fixing the root problem.

How Allthenticate Defends Against This

How Allthenticate Defends Against This

How Allthenticate Defends Against This

Allthenticate eliminates MFA Fatigue

By only accepting requests from browsers that were marked as trusted by the user using secure authentication and relying on the laws of physics to prove proximity, you can eliminate MFA fatigue while offering one of the smoothest login experiences possible.

One-Time Secure Pairing

Initial QR code scan establishes an unbreakable bond:

► Server generates unique cryptographic nonce

► Browser displays in QR code

► Phone scans and verifies through secure channel

This browser will then be trusted for all future MFA attempts

Proving Proximity (with Bluetooth)

Once trust is established with the browser and the phone is paired with the computer (connected over Bluetooth), users are re-logged-in automatically by sending a cryptographic challenge to the phone through the local computer over Bluetooth — confidently asserting that phone is near the computer that loaded the website.

Seamless Experience

Seamless Experience

With your phone acting as a proximity-bound hardware token, the user experience is surreal.

Ultimate Security

Ultimate Security

Logins either require the phone to be physically close or a typical secure MFA interaction.

Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.

Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.

Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.