MFA Prompt Bombing Undermines Second‑Factor Security Across Enterprises
What Happened — Attackers are abusing push‑based MFA by flooding users with authentication prompts until one is approved, a technique known as “prompt bombing.” The method bypasses the intended protection of MFA without stealing the second factor.
Why It Matters for TPRM —
- MFA is a core control in most third‑party risk frameworks; its erosion expands the attack surface of vendors.
- Prompt‑bombing can lead to credential compromise and downstream data exposure across supply‑chain relationships.
- Organizations may falsely assume MFA compliance satisfies identity‑security requirements, leaving gaps in vendor assessments.
Who Is Affected — Financial services, SaaS providers, healthcare, and any enterprise relying on push‑based MFA solutions (e.g., Microsoft Authenticator, Duo, Okta).
Recommended Actions —
- Review MFA implementations for push‑based fatigue resistance (e.g., rate‑limiting, adaptive prompts).
- Incorporate MFA prompt‑bombing tests into vendor security questionnaires.
- Deploy secondary verification steps for high‑risk actions (e.g., transaction signing).
Technical Notes — Attack vector: repeated MFA push notifications (social engineering). No known CVE; the issue stems from user‑behavior exploitation. Data types at risk include login credentials and any downstream data accessed after a successful login. Source: The Hacker News