BIPI
BIPI

MFA Push Bombing Still Works. Here Is What Actually Stops It

Cybersecurity

Number-matching helped, but threat actors adapted within months. The durable fix is FIDO2 and passkeys for the populations that matter, with interim mitigations covering everyone else.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 18, 2024 · 6 min read

#mfa#identity#phishing#defense

The Uber breach in 2022 made MFA fatigue a household phrase in security. Two years later, we are still cleaning it up. A manufacturing client got hit last quarter: an attacker had valid creds (phished or purchased), called the help desk to social-engineer a session, and pushed 73 MFA prompts to the user over three hours. The user finally approved one to make the alerts stop. Attacker logged in, dropped a beacon on the user's machine, and pivoted to AD.

Why number matching is not enough

Microsoft, Okta, and Duo all rolled out number matching as the answer. The user has to type the digits shown on the login screen into the authenticator app. It does help: a recent Okta study showed 72% reduction in successful push-bomb attacks after enforcement.

The remaining 28% is the problem. Adversary-in-the-middle (AiTM) phishing kits like EvilProxy, Tycoon 2FA, and Mamba capture the number-match challenge in real time. They proxy the login flow, show the user a real Microsoft prompt, and pass the typed digits straight back. Users see what they expect, type what is asked, and the kit walks away with a session cookie.

The durable fix: phishing-resistant MFA

FIDO2 and passkeys solve this at the protocol level. The authenticator (security key or platform passkey) cryptographically binds the response to the origin. If the user is on evil.example.com, the passkey will not respond. The kit cannot proxy the challenge because the protocol detects the origin mismatch.

  • YubiKey 5 series for high-privilege users (admins, executives, finance approvers): unphishable, hardware-bound, ~50 USD per user one-time
  • Platform passkeys (iOS/macOS, Android, Windows Hello) for general workforce: free, syncs across user's devices, decent UX
  • Conditional access requiring phishing-resistant MFA on sensitive resources: enforces the strong factor where it matters most

Realistic rollout

Nobody flips a switch and goes 100% FIDO2 in a week. The phased model that works:

  1. Phase 1 (30 days): Issue YubiKeys to Tier 0 admins (domain admins, cloud root admins, security tools admins). Enforce phishing-resistant MFA on these accounts via conditional access.
  2. Phase 2 (60 days): Extend to Tier 1 (server admins, finance approvers, HR with PII access, executives). Roll out platform passkey enrollment for general workforce as opt-in.
  3. Phase 3 (90-180 days): Mandate passkey enrollment for all knowledge workers. Push number matching for the long tail of users who refuse passkeys.
  4. Phase 4 (ongoing): Deprecate SMS, voice call, and pure push without number matching. Remove from MFA options for new enrollments.

Interim mitigations that buy time

Until you finish the FIDO2 rollout, layer these:

  • Sign-in risk policies: any anomalous geo/device combo prompts re-auth or blocks
  • Token protection (Microsoft Entra) or device trust (Okta): bind the session to a known device
  • Authenticator app number matching turned on, with reasoning shown to the user (the app says why this prompt was sent)
  • Rate-limit MFA prompts: more than 5 in 10 minutes triggers an automatic block and alerts the user via a secondary channel
  • Help desk script changes: never reset MFA over the phone without callback verification through a known-good number

Measuring success

Two metrics worth tracking:

85%
Tier 0/1 admins on phishing-resistant MFA within 90 days
0
Successful push-bomb attacks against FIDO2-enrolled accounts
If you are still running pure push notifications without number matching in 2026, you are not running MFA. You are running a phishing accelerator with extra steps.

The economics now favor passkeys. Apple, Google, Microsoft, and 1Password all sync them seamlessly. The user experience is better than passwords. The security is dramatically better than push. The remaining barrier is your IdP configuration and a 90-day rollout plan. Both are solvable problems with known answers.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.