Social Engineering Even Posing a Threat to Multifactor Security
A recent wired article (here) on the Lapsus$ hacking group discussed the use of "Promptbombing" to defeat Multifactor security methods that were otherwise quire effective. As the article itself observes, this shouldn't be taken as a call to avoid Multifactor, or as a damning indictment of one of the most effective security practices out there.
Promptbombing is when a bad guy requests a password reset so often on a multifactor protected account that the user, either mistakenly due to fatigue, or out of frustration, authenticates the attempted login. Typically, if one receives an incorrect Multifactor access request, it can be safely ignored. However with Promptbombing the requests are so fast and frequent, that the user experiences a kind of real life DDOS. The victims of this "attack" experience so many access requests that they reason away the inconvenience in a number of ways, including assuming it to be a simple technical glitch. After the 15th or so Multifactor prompt, they think, perhaps authenticating the request might stop it.
As with almost all things about digital criminal behavior, there's a an analog predecessor. In the old days, before valuables were stored online behind passwords, firewalls and multifactor authentications, they were stored behind physical alarm systems. Some of these systems were, and are still quite effective. It didn't take criminals long, however, to deduce that there was no need to defeat an alarm system if the user could be tricked into disarming it. This was accomplished by causing so many false alarms that the owner would have no choice but stop the false alerts by disabling the alarm, until the alarm company could be called. This sanity-preserving action also has the unintended consequence of providing the thieves access to the formerly protected valuables.
In Promptbombing the bad guys cause the authentication request to be sent so often that the user eventually mistakenly, or even willingly confirms the authentication in an effort to make it stop. (A variation on the theme involves the bad guys posing as customer service and asking the victim to read back a "verification code" at which point the criminals trigger the authentication request which the unwitting victim relays the code.)
Multifactor Authentication is a critical component to Security. However unsuspecting users can still be manipulated by bad actors. Much like phishing which relies on the actions of the user by clicking a link, Promptbombing relies on the actions of the user to accept the authentication. While Promptbombing isn't a technical vulnerability, it can be mitigated by requiring more sophisticated interaction on the part of the user with regard to additional factors. The repetition of such requests can also be limited to prevent the end user from being overwhelmed by authentication requests. The configuration of each system can differ, but the implementation of multifactor should always be done in a manner that doesn't widen the security holes it's meant to close.