An emerging threat for account takeover and fraud is coming by way of Push notifications. The user is bombarded with notifications by the threat actor leading to MFA fatigue and the decision to just 'approve' the notification to stop it from coming. VIP already has one mitigation for this, by throttling the push notifications. VIP stops sending them for an hour, if 5 deny responses were received in 5 minutes. By suspending the notifications it helps reduce the volume sent to the user.
Earlier this year, VIP introduced another mitigation feature for MFA fatigue or Push bombing, the Push Number Challenge. This feature changes the user experience to require the end user to enter a 2-digit challenge code ,which is displayed to them during the login process, into the push notification dialog prior to being allowed to approve the request. This prevents any remote initiation from being successful since the end user does not know the 2-digit challenge code that is required.
A recorded demonstration was created to showcase how this feature works and is configured. If you have any questions, feel free to reach out to Support.
- The Symantec VIP Product Team