Search

US-12627707-B2 - Mitigating risk from multi-factor authentication fatigue attacks

US12627707B2US 12627707 B2US12627707 B2US 12627707B2US-12627707-B2

Abstract

An authentication system identifies and mitigates the effectiveness of a Multi-factor Authentication (MFA) Fatigue attack. The attack may be detected based on the number of requests for authentication received for a user within a predetermined time window, or through user or administrator input. Once detected, the authentication system is placed in a safe mode to mitigate the MFA Fatigue attack. In safe mode, all pending requests for authentication are automatically rejected. Subsequent requests for mitigation may be automatically rejected or the authentication process may be modified to accurately differentiate authentication attempts from a legitimate user from authentication attempts that are part of the MFA Fatigue attack. To further mitigate the effectiveness of MFA Fatigue attacks, the authentication system may use simulated authentication attempts to identify and train users who are susceptible to MFA Fatigue attacks.

Inventors

  • Anthony Rajakumar

Assignees

  • VERCRIO, INC.

Dates

Publication Date
20260512
Application Date
20230912

Claims (20)

  1. 1 . A method for detecting a Multi-Factor Authentication (MFA) Fatigue attack, the method comprising: receiving a request for authentication for a user via an electronic interface in a Multi- Factor Authentication (MFA) process, the request for authentication comprising an identifier of the user, wherein in the MFA process each request for authentication requires the user to provide a confirmation of the request for authentication; determining if the request for authentication is part of an MFA Fatigue attack, in which repeated unauthorized requests for authentication are submitted, comprising: storing, in an electronic record, the request for authentication for the user including at least the identifier for the user and a time of the request for authentication for the user; determining a number of previous requests for authentication for the user received within a predetermined amount of time prior to the request for authentication for the user from the electronic record based on the at least the identifier for the user and times of the previous requests for authentication for the user; determining that the request for authentication for the user is an MFA Fatigue attack if the number of previous requests for authentication for the user received within the predetermined amount of time is greater than a predetermined threshold number and cancelling pending requests for authentication and preventing subsequent requests for authentication if the request for authentication for the user is an MFA Fatigue attack; and proceeding with the MFA process for the user in which the user is required to provide confirmation of the request for authentication if the number of previous requests for authentication for the user received within the predetermined amount of time is not greater than the predetermined threshold number.
  2. 2 . The method of claim 1 , wherein an identifier for an originating device for the request for authentication for the user is stored with the request for authentication for the user, and wherein determining the number of previous requests for authentication for the user is further based on the originating device.
  3. 3 . The method of claim 1 , wherein at least one of the predetermined amount of time and the predetermined threshold number is configurable by the user or an administrator.
  4. 4 . The method of claim 1 , wherein at least one of the predetermined amount of time and the predetermined threshold number is configurable for individual users, groups of users, or all users within an organization.
  5. 5 . The method of claim 1 , wherein previous requests for authentication for the user included in the number of previous requests for authentication for the user comprises successful authentications, unsuccessful authentications, and indeterminate authentications.
  6. 6 . The method of claim 1 , further comprising indicating that the request for authentication for the user is an MFA Fatigue attack against an entity comprising one of only the user, a group of users that includes the user, or an organization that includes the user.
  7. 7 . The method of claim 6 , wherein the entity is configurable by the user or an administrator.
  8. 8 . The method of claim 1 , wherein after proceeding with the authentication process for the user, the method further comprises: receiving an indication from the user that the request for authentication for the user is unauthorized; and indicating that the request for authentication for the user is an MFA Fatigue attack.
  9. 9 . The method of claim 1 , wherein after proceeding with the authentication process for the user, the method further comprises: receiving an indication from an administrator that an entity comprising one of only the user, a group of users that includes the user, and an organization that includes the user is undergoing an MFA Fatigue attack; and indicating that the request for authentication for the user is an MFA Fatigue attack.
  10. 10 . An authentication server for detecting a Multi-Factor Authentication (MFA) Fatigue attack, comprising: at least one memory; and a processing system comprising one or more processors coupled to and the at least one memory, the processing system configured to: receive a request for authentication for a user via an electronic interface in a Multi-Factor Authentication (MFA) process, the request for authentication comprising an identifier of the user, wherein in the MFA process each request for authentication requires the user to provide a confirmation of the request for authentication; determining if the request for authentication is part of an MFA Fatigue attack, in which repeated unauthorized requests for authentication are submitted, comprising: store, in an electronic record, the request for authentication for the user including at least the identifier for the user and a time of the request for authentication for the user; determine a number of previous requests for authentication for the user received within a predetermined amount of time prior to the request for authentication for the user from the electronic record based on the at least the identifier for the user and times of the previous requests for authentication for the user; determine that the request for authentication for the user is an MFA Fatigue attack if the number of previous requests for authentication for the user received within the predetermined amount of time is greater than a predetermined threshold number and cancelling pending requests for authentication and preventing subsequent requests for authentication if the request for authentication for the user is an MFA Fatigue attack; and proceed with the MFA process for the user in which the user is required to provide confirmation of the request for authentication if the number of previous requests for authentication for the user received within the predetermined amount of time is not greater than the predetermined threshold number.
  11. 11 . The authentication server of claim 10 , wherein an identifier for an originating device for the request for authentication for the user is stored with the request for authentication for the user, and wherein the processing system is configured to determine the number of previous requests for authentication for the user further based on the originating device.
  12. 12 . The authentication server of claim 10 , wherein at least one of the predetermined amount of time and the predetermined threshold number is configurable by the user or an administrator.
  13. 13 . The authentication server of claim 10 , wherein at least one of the predetermined amount of time and the predetermined threshold number is configurable for individual users, groups of users, or all users within an organization.
  14. 14 . The authentication server of claim 10 , wherein previous requests for authentication for the user included in the number of previous requests for authentication for the user comprises successful authentications, unsuccessful authentications, and indeterminate authentications.
  15. 15 . The authentication server of claim 10 , wherein the processing system is further configured to indicate that the request for authentication for the user is an MFA Fatigue attack against an entity comprising one of only the user, a group of users that includes the user, or an organization that includes the user.
  16. 16 . The authentication server of claim 15 , wherein the entity is configurable by the user or an administrator.
  17. 17 . The authentication server of claim 10 , wherein after proceeding with the authentication process for the user, the processing system is further configured to: receive an indication from the user that the request for authentication for the user is unauthorized; and indicate that the request for authentication for the user is an MFA Fatigue attack.
  18. 18 . The authentication server of claim 10 , wherein after proceeding with the authentication process for the user, the processing system is further configured to: receive an indication from an administrator that an entity comprising one of only the user, a group of users that includes the user, and an organization that includes the user is undergoing an MFA Fatigue attack; and indicate that the request for authentication for the user is an MFA Fatigue attack.
  19. 19 . The method of claim 1 , wherein the request for authentication comprising the identifier of the user further comprises a valid password.
  20. 20 . The authentication server of claim 10 , wherein the request for authentication comprising the identifier of the user further comprises a valid password.

Description

CROSS REFERENCE TO RELATED APPLICATIONS This application claims priority under 35 USC § 119 to U.S. Provisional Application No. 63/407,578, filed Sep. 16, 2022, entitled “Mitigating Risk From MFA Fatigue Attacks,” which is incorporated by reference herein in its entirety. BACKGROUND The use of multiple factors to authenticate a user's access to computer resources, commonly known as Multi-factor Authentication (MFA), has become widespread. Phone-based authentication applications, e.g., apps, such as Duo or Microsoft Authenticator, for example, are often used as part of an MFA system. In such an MFA system, the first factor is often a password and the second factor is a notification triggered to the authentication app on the user's phone, to which the user must respond affirmatively in order for the system to grant access. Thus, the authentication is a two-step process: the user enters their password into a web page, and if it matches, the system sends a push notification to the authentication app. If the user responds affirmatively to this notification on the user's phone, then access is granted. Attackers have formulated a new method to compromise such MFA systems and gain unauthorized access. The first step in the attack involves the compromise of passwords (through phishing, for example). Using the stolen password, the attacker may trigger repeated simultaneous authentication attempts. The repeated authentication attempts by the attacker trigger multiple confirmation notifications being pushed to the actual user's phone-based app. The actual user, of course, should respond to each of these notifications negatively. However, when faced with a flood of confirmation notifications to their authentication app, users may get fatigued with the repeated notifications and may be tempted to respond affirmatively, simply to silence the system. Only one affirmative response is needed for the attacker to gain control of the user's account, and, accordingly, a single affirmative response made by the actual user to silence the system allows the attacker to access the account. This attack is termed an MFA Fatigue attack and may be a serious compromise to an organization's security. For example, if multiple members of an organization, e.g., employees of a business, are attacked in this manner, a single affirmative response from a single employee during an MFA Fatigue attack may allow an attacker to access the organization's accounts. SUMMARY An automated process is disclosed for improving the functionality of computer systems to mitigate the effectiveness of MFA Fatigue attacks. An authentication system may identify an MFA Fatigue attack automatically based on a number of requests for authentication that are received for a user within a predetermined time window, or through user or administrator input. Once detected, the authentication system may place the authentication system into a safe mode to mitigate the MFA Fatigue attack. While in safe mode, all pending requests for authentication are automatically rejected by the authentication system. Additionally, subsequent requests for authentication may be automatically rejected or the authentication process may be modified to accurately differentiate authentication attempts from a legitimate user from authentication attempts that are part of the MFA Fatigue attack. To further mitigate the effectiveness of MFA Fatigue attacks, the authentication system may use simulated authentication attempts to identify users who are susceptible to MFA Fatigue attacks who may be trained accordingly, or may be switched to a different type of authentication procedure that is not at risk to MFA Fatigue attacks. In one implementation, a method for detecting a Multi-Factor Authentication (MFA) Fatigue attack includes receiving an attempt at authentication attempt at authentication for a user via an electronic interface, the attempt at authentication comprising an identifier of the user and storing, in an electronic record, the attempt at authentication for the user including at least the identifier for the user and a time of the attempt at authentication for the user. The method includes determining a number of previous attempts at authentication for the user received within a predetermined amount of time prior to the attempt at authentication for the user from the electronic record based on the at least the identifier for the user and times of the previous attempts at authentication for the user; indicating that the attempt at authentication for the user is an MFA Fatigue attack if the number of previous attempts at authentication for the user received within the predetermined amount of time is greater than a predetermined threshold number; and proceeding with an authentication process for the user if the number of previous attempts at authentication for the user received within the predetermined amount of time is not greater than the predetermined threshold number. In one implementation, an a