Push bombing and MFA fatigue has been the hottest security topic in the recent times and attackers have found a way to circumvent the security provided by Push MFA using a script or a bot to trigger multiple login attempts with resulting in a stream of multiple push notifications to the user’s mobile device hoping user will accidentally approve the login attempt. Here are some good practices you can adopt to reduce the risks:
1. Enforce a stronger password policy. Attacker have user's password
2. Enable account lock-out for multiple failed login attempts.
3. Turn on mobile biometric as additional factor for Push MFA.
4. Use conditional access policy to allow user logging from a specific country or from a known IP.
5. Educate your users to check application or location information. Note: it may not be always available.
You can find additional information here: https://jumpcloud.com/blog/push-bombing-mfa-fatigue
What's else JumpCloud is working on?
1. Show state or region and city in Push prompt.
2. Rules to restrict multiple Protect push mfa attempts for login attempt to a specific resource
3. Number matching with Protect