Showing results for 
Search instead for 
Did you mean: 

How to reduce Push bombing and user MFA fatigue risks

JumpCloud Alumni
JumpCloud Alumni

Push bombing and MFA fatigue has been the hottest security topic in the recent times and attackers have found a way to circumvent the security provided by Push MFA using a script or a bot to trigger multiple login attempts with resulting in a stream of multiple push notifications to the user’s mobile device hoping user will accidentally approve the login attempt. Here are some good practices you can adopt to reduce the risks:

1. Enforce a stronger password policy. Attacker have user's password

2. Enable account lock-out for multiple failed login attempts.

3. Turn on mobile biometric as additional factor for Push MFA.

4. Use conditional access policy to allow user logging from a specific country or from a known IP.

5. Educate your users to check application or location information. Note: it may not be always available.

You can find additional information here:

What's else JumpCloud is working on?

1. Show state or region and city in Push prompt.

2. Rules to restrict multiple Protect push mfa attempts for login attempt to a specific resource

3. Number matching with Protect