Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
Adversaries in possession of credentials to Valid Accounts may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. If adversaries lack credentials to victim accounts, they may also abuse automatic push notification generation when this option is configured for self-service password reset (SSPR).(Citation: Obsidian SSPR Abuse 2023)
In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.02 | Privileged system access | Mitigates | T1621 | Multi-Factor Authentication Request Generation |
Comments
This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1621 | Multi-Factor Authentication Request Generation |
Comments
This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to bypass or generate MFA requests.
References
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1621 | Multi-Factor Authentication Request Generation |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1621 | Multi-Factor Authentication Request Generation |
Comments
This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-05 | Access Restrictions for Change | mitigates | T1621 | Multi-Factor Authentication Request Generation | |
| IA-05 | Authenticator Management | mitigates | T1621 | Multi-Factor Authentication Request Generation | |
| IA-13 | Identity Providers and Authorization Servers | mitigates | T1621 | Multi-Factor Authentication Request Generation | |
| IA-03 | Device Identification and Authentication | mitigates | T1621 | Multi-Factor Authentication Request Generation | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1621 | Multi-Factor Authentication Request Generation | |
| AC-02 | Account Management | mitigates | T1621 | Multi-Factor Authentication Request Generation | |
| AC-06 | Least Privilege | mitigates | T1621 | Multi-Factor Authentication Request Generation |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_identity | Cloud Identity | technique_scores | T1621 | Multi-Factor Authentication Request Generation |
Comments
The Identity Platform can establish limits and quotas for MFA.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_identity_and_access_management | AWS Identity and Access Management | technique_scores | T1621 | Multi-Factor Authentication Request Generation |
Comments
AWS Identity and Access Management can be configured to lock at user out after repeated Multi-Factor Authentication requests.
References
|