AuthPoint "MFA Fatigue" attacks

Hi,
In light of recent "MFA Fatigue" attacks, most recent one being the Uber breach, is there any way of restricting such attacks on AuthpPoint?
Can the number of push notifications to a user be controlled in some way?

Cheers

Comments

  • You can adjust the timeouts between pushed on the portal in global settings… I believe in there is also where you configure “block user after X failed attempts”
  • @Tristan.Colo said:
    You can adjust the timeouts between pushed on the portal in global settings… I believe in there is also where you configure “block user after X failed attempts”

    Thanks Tristan. I tried that but it seems I cannot adjust the timeout between push notifications. The failed attempts seem to be logged only when the username or password entered is incorrect.
    Also it seems "Login Attempts" setting does not apply to users synced from an external identity which we're currently doing.
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/authpoint_settings.html?cshid=13018

    We're basically looking at a scenario where the username/password has been compromised and the external actor is trying to flood the user's device with push notifications hoping that the user would click "Approve" to make the message go away.

  • > @mashiyer said:
    > Thanks Tristan. I tried that but it seems I cannot adjust the timeout between push notifications. The failed attempts seem to be logged only when the username or password entered is incorrect.
    > Also it seems "Login Attempts" setting does not apply to users synced from an external identity which we're currently doing.
    > https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/authpoint_settings.html?cshid=13018
    >
    > We're basically looking at a scenario where the username/password has been compromised and the external actor is trying to flood the user's device with push notifications hoping that the user would click "Approve" to make the message go away.

    Interesting because we mainly do Externally synced users and this timeout works.

    Now you have to make sure that if you update the timeout here that you update the timeout on the firewall if you are using RADIUS to match.
  • I would like to know in relation to this type of attack, is there already an internal strategy in Watchguard to block push notifications after several push denials?

  • edited October 2022

    That is a tough one. I have recently had a rash of (crap) with some overseas folks who simply roll their IP address seemingly by the second. So, we get a push from IP "A", then from "B" and on and on and on...so, what do we block and for how long?

    -removed section of comment - James C-

    While not the answer to your question...is saying 'no' creating an undue burden on your admission control or is just the error log bothersome?

Sign In to comment.