Multi-Factor Authentication (MFA) & The Muscle Memory Trap
Multi-Factor Authentication (MFA) & The Muscle Memory Trap
There is little doubt that Multi-Factor Authentication (MFA) is an essential tool that aids organizations in protecting against unauthorized access, however with this said not all MFA mechanisms are created equal, and some could be hurting your security posture.
For a security mechanism to be truly effective it must be built around solid security practices that factor in human behaviour. For example, overly complex password requirements will often lead to unfavorable human behaviour such as writing down passwords. In the context of MFA many popular applications will send a push notification to the employees’ phone in order to verify the login attempt was legitimate. This type of mechanism is extremely popular as it is very user friendly. Unfortunately, this type of MFA implementation may be undermined due to muscle memory.
Understanding the Risk.
Muscle memory is a well-known cognitive process where repeated actions become automatic. In the context of MFA, many users have grown accustomed to approving push notifications sent to their mobile devices without thinking twice. These notifications, typically sent by MFA apps, prompt users to approve or deny a login request. Over time, users develop the habit of approving requests almost reflexively, which can be dangerous in the hands of an attacker.
This type of knee-jerk response is extremely dangerous as one wrong click of a button could lead to unauthorized access with catastrophic results.
As an organization that frequently undertakes penetration testing engagements we understand the probability of manipulating human behaviour significantly increases if we pay attention to timing. Let’s take a quick look two simple attacks that an attacker may use:
MFA Bombing – A a type of cyberattack where the attacker has already obtained a user’s primary credentials (i.e. username/password) and repeatedly triggers multi-factor authentication (MFA) requests, hoping the target will approve one of them by mistake or out of frustration. We can substantially increase the likelihood of success with this attack by using it either at peak login times and/or high stress moments such before a meeting, or deadline.
Social Engineering – An attacker might impersonate an employee’s IT department or a representative from the MFA provider, claiming they need to assist with a technical issue or verify the user’s identity. The attacker may then use the user’s credentials to initiate a push notification for MFA approval. When the employee receives the notification on their phone, they assume it’s legitimate as it was expected. This simple action of approving the MFA request inadvertently allows the attacker to gain unauthorized access to the environment.
According to IBM’s 2022 Cost of a Data Breach Report, human error is responsible for 23% of all data breaches. While this statistic isn’t specific to MFA or muscle memory, it underscores the significant role human behavior plays in security lapses.
A 2020 study by Palo Alto Networks found that 39% of organizations experienced security incidents involving employees inadvertently approving requests or sharing credentials under pressure or due to familiarity, which can be exacerbated by muscle memory in the context of MFA push notifications.
Research on automatic behaviors in security (such as at Carnegie Mellon University) highlights how users often develop the habit of approving or denying notifications without evaluating their legitimacy. This kind of automated response due to muscle memory can lead to attackers exploiting that behavior.
Striking a balance
The best MFA solution to deploy will vary between organizations, however as we acknowledged from the start – ‘For a security mechanism to be truly effective it must be built around solid security practices that factor in human behaviour.‘
Therefore, If we are able to recognize potential issues with an otherwise effective and well-adopted technology we have the opportunity to investigate and deploy compensating controls that may allow us to address the shortfalls. In the case of MFA push notifications it does provide a very user-friendly experience that is easily adopted by employees, and therefore the best option may be to implement a solution that allows the organization to continue to use this type of implementation, at the same time as minimizing any inherent risk.
One such solution is LMQ Technology’s VPN Inspection Node (VIN).
VPN Inspection Node (VIN)
The VPN Inspection Node (VIN) addresses the dual challenges of stolen user credentials and human error in MFA approvals. VIN ensures that only legitimate, authorized devices access your network, neutralizing the threat of stolen credentials being used for unauthorized access.
