OWASP
Controls around push notifications for MFA
So @danielcuthbert mentioned recent attacks whereby attackers dos'd an intended target with multiple OOB requests,
This is an issue which specifically relates to push notifications being used as MFA which I don't believe we really discuss yet but I think we should have a requirement about it somewhere.
(If someone fancies checking if NIST mentions this, that would be good 😀)
Often, it would be a 3rd party providing the MFA functionality but I think we should still mention it for completeness.
@danielcuthbert what else should we mention here? Is it sufficient to mention only allowing a certain number within a period of time?
Should we also require some sort of interactive stage i.e. you cannot just press "Approve" but rather you have to enter a code from screen or something?
(If someone fancies checking if NIST mentions this
We know 800-63b 5.1.3.2 talks about OOB Verifiers and their criteria. In the end, they talk about 5.2.2 (Rate Limiting). 800-63b 5.2.2 doesn't appear to consider push notifications
Aside from the count of failed logins before locking out the account (100), 800-63 doesn't appear to address a dos attack against push verifiers.
Maybe someone else has a better doc to reference.
Is it time to denigrate the security posture of MFA "push approvals"?
⏰ Reminder Wednesday, December 21, 2022 12:00 AM (GMT+01:00)
@danielcuthbert to look at this again
![octo-reminder[bot] avatar](https://avatars.githubusercontent.com/in/161108?v=4 "Published by a pub.dev verified publisher"){kind=small}
FYI, CISA published around push bombing threats in MFA. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
According to this, in push notification, additional step called number matching is effective to push bombing.
Ok so the latest NIST draft says:
Out-of-band verifiers that send a push notification to a subscriber device SHOULD implement a reasonable limit on the rate or total number of push notifications that will be sent since the last successful authentication.
I would propose:
Verify that, where push notifications are used for multi-factor authentication, rate limiting or number matching is used to prevent push bombing attacks.
Could also add a link to this: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf
Thoughts @elarlang @jmanico ?
Is it so widespread that it requires special mention? In general I would say it is covered by V11.2 Anti-automation requirements. An external user should not be able to trigger that functionality more often than the business limit allows.
Yeah it seems a pretty big problem and I am worried it would get lost in anti automation
Can we augment anti-automation to include this - or do we need a new requirement Josh? I have run into this issue before and it’s high impact even if it’s not widespread.
So we sort of mention it in 11.2.2 but I am not convinced it is super clear:
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 11.2.2 | [MODIFIED, MOVED FROM 11.1.4] Verify that the application has anti-automation controls to protect against excessive calls to application functionality which could result in mass data exfiltration, junk data creation, resource quota exhaustion, rate limit breaches, out-of-band communication flooding, denial of service, overuse of an expensive resource, etc. | ✓ | ✓ | ✓ | 770 |
I am really ok to add a new requirement if you think it’s a good idea, Josh.
For my taste the principle of the problem is clearly covered by 11.2.2. With a separate requirement we go more the the testing guide field.
Rate limiting is only one possible fix as there is also the number matching option. That is a specific design choice and one that Microsoft for example made and that I think we need to ask organizations to consider.
As such I would still like to add a requirement for this: https://github.com/OWASP/ASVS/issues/1415#issuecomment-2373141191 @elarlang
I want to merge this but I want to finish reviewing v2 first as hopefully I will then have a better idea about section.