Open tghosth opened 1 year ago
(If someone fancies checking if NIST mentions this
We know 800-63b 5.1.3.2 talks about OOB Verifiers and their criteria. In the end, they talk about 5.2.2 (Rate Limiting). 800-63b 5.2.2 doesn't appear to consider push notifications
Aside from the count of failed logins before locking out the account (100), 800-63 doesn't appear to address a dos attack against push verifiers.
Maybe someone else has a better doc to reference.
Is it time to denigrate the security posture of MFA "push approvals"?
@set-reminder 2 weeks @danielcuthbert to look at this again
⏰ Reminder Wednesday, December 21, 2022 12:00 AM (GMT+01:00)
@danielcuthbert to look at this again
FYI, CISA published around push bombing threats in MFA. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
According to this, in push notification, additional step called number matching is effective to push bombing.
🔔 @tghosth
@danielcuthbert to look at this again
So @danielcuthbert mentioned recent attacks whereby attackers dos'd an intended target with multiple OOB requests,
This is an issue which specifically relates to push notifications being used as MFA which I don't believe we really discuss yet but I think we should have a requirement about it somewhere.
(If someone fancies checking if NIST mentions this, that would be good 😀)
Often, it would be a 3rd party providing the MFA functionality but I think we should still mention it for completeness.
@danielcuthbert what else should we mention here? Is it sufficient to mention only allowing a certain number within a period of time?
Should we also require some sort of interactive stage i.e. you cannot just press "Approve" but rather you have to enter a code from screen or something?