Controls around push notifications for MFA

[tghosth]

So @danielcuthbert mentioned recent attacks whereby attackers dos'd an intended target with multiple OOB requests,

This is an issue which specifically relates to push notifications being used as MFA which I don't believe we really discuss yet but I think we should have a requirement about it somewhere.

(If someone fancies checking if NIST mentions this, that would be good 😀)

Often, it would be a 3rd party providing the MFA functionality but I think we should still mention it for completeness.

@danielcuthbert what else should we mention here? Is it sufficient to mention only allowing a certain number within a period of time?

Should we also require some sort of interactive stage i.e. you cannot just press "Approve" but rather you have to enter a code from screen or something?

[mgargiullo]

(If someone fancies checking if NIST mentions this

We know 800-63b 5.1.3.2 talks about OOB Verifiers and their criteria. In the end, they talk about 5.2.2 (Rate Limiting). 800-63b 5.2.2 doesn't appear to consider push notifications

Aside from the count of failed logins before locking out the account (100), 800-63 doesn't appear to address a dos attack against push verifiers.

Maybe someone else has a better doc to reference.

Is it time to denigrate the security posture of MFA "push approvals"?

[tghosth]

@set-reminder 2 weeks @danielcuthbert to look at this again

[octo-reminder[bot]]

⏰ Reminder Wednesday, December 21, 2022 12:00 AM (GMT+01:00)

@danielcuthbert to look at this again

[maizuka]

FYI, CISA published around push bombing threats in MFA. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

According to this, in push notification, additional step called number matching is effective to push bombing.

[octo-reminder[bot]]

🔔 @tghosth

@danielcuthbert to look at this again