Don’t be a 2-factor 'phushover'

So, what if I told you that I have observed, through security data, seeing upwards of 4% or more percent of your employees could be negating the value of MFA by accepting unsolicited push notifications – effectively allowing a malicious actor to bypass the controls offered by that second factor? Another aspect to push notification that provides an extra security perk is that the end user can detect and report on fraudulent unsolicited requests. How can we detect when someone implements an automation tool to always accept a 2FA push and/or help raise awareness for those users who are likely to accept unsolicited 2FA pushes? The answer is found in creating phushing awareness, or two-factor push phishing awareness. Create a positive awareness follow up to educate users and focus on getting them to report invalid pushes as fraudulent. Notify your security operations center and help desk before a phushing campaign, and space out the pushes so that there isn’t a huge impact on the help desk. While there are numerous options, the push Mobile out of band method is growing in popularity because it is generally more secure, more user friendly, and has feedback options for fraudulent reporting. Despite this, there remains vulnerability, thanks to clever folks who look to automate the push interaction and those users who simply accept unsolicited push requests. Fortunately, most MFA providers have the ability to integrate via API, which allows a security team to create a phushing tool that can send fake push notifications to their users to build awareness. This will give the security team the data needed to reduce the risk associated to push vulnerabilities.