websights No, not all MFA solutions are vulnerable to prompt bombing - TrustBuilder

Looking for inwebo.com? You are in the right place! Read all about it in our blog post

Come and join us in person at upcoming industry trade shows and conferences

No, not all MFA solutions are vulnerable to prompt bombing

Have you ever heard of MFA prompt bombing? It’s the hot topic of the moment in cybersecurity. This technique was recently used against Uber by the notorious hacker group “Lapsus$”.

And Uber is anything but an isolated case. Today’s cybercriminals are constantly innovating by exploiting the smallest loopholes of the digital world. They are able to bypass some strong authentication systems (2FA) that do provide an additional layer of security to user accounts, but a layer that is largely insufficient given the complexity of current attacks.


The Identity Defined Security Alliance (IDSA) recently released a report on the 2022 Trends in Securing Digital Identities. Among the 500 IT professionals interviewed, 84% reported that their organization had experienced identity theft in the past year¹. An increase of 5 points from the previous year's report.

To address these threats, it is more than essential to educate employees and customers regarding best practices and to strengthen existing security infrastructures.

How does prompt bombing work?

Prompt bombing (or push bombing) attacks use multi-factor authentication to flood users with push notifications and hack their accounts. Whether intentionally or not, some end up accepting requests initiated by the hackers.

To access their targets’ data, hackers illegally obtain valid credentials. During the login attempt, they rely on the fact that a user flooded with notifications will at some point approve the authentication. The term “MFA Fatigue” refers to the weariness of the users caused by these countless notifications.

It sounds trivial, but it worked with Uber. The hacker used an employee’s login data and sent him push notifications in an aggressive manner. Before approving the operation, the user was even contacted on WhatsApp by a so-called member of his company’s IT team, asking him to accept the notification so it would stop. This is a form of social engineering.

A successful prompt bombing attempt can give hackers the ability to add their device to the cracked account and remove the original user’s access. Depending on the permissions the victim has within the organization, attackers can access and exploit more or less confidential data and resources.

Fight prompt bombing with inWebo MFA

Modern attacks require modern methods. Here are the different solutions proposed by inWebo to counter prompt bombing:

Set up the service for more security

inWebo provides an additional level of security through its setting options. For example, it is possible to make the PIN code mandatory and not to allow biometrics on cell phones, which favors involuntary or habit-based acceptance.

Go to the “Service Parameters” section of your administration tool. Here you will have the possibility to choose to authenticate with or without PIN and to disable the field “Authentication with biometrics allowed”. Please note that when the PIN is disabled, biometric authentication is not available.

Enroll your users' browser

The inWebo Browser token solution enables the enrollment of web and mobile browsers. It certifies that the connection attempt comes from a trusted browser, i.e. from a device listed by the company. It is possible to make this handling mandatory to substantially increase the security of the connections. This system provides an answer to both prompt bombing and potential attacks from the Evil Proxy phishing service.


Find out how to add a user to your platform and to allow him to authenticate safely. Activate your account by following the procedures outlined in the email invitation. Enroll your trusted browser by activating and setting your PIN and anti-phishing phrase. Add your cell phone or complete the steps directly on your browser.

Play Video

Disable push notifications

The inWebo multi-factor authentication system allows the user to disable push notifications. To login, he will have to validate directly by himself the login attempts in the application. Without untimely solicitations, the user is protected from prompt bombing attacks.

Generate a one-time password (OTP)

The methods described above can be further enhanced with inWebo’s one-time password (OTP). This solution requires the user to generate a unique password on his cell phone. This OTP must then be entered on the trusted browser. Without any external solicitation, through a chain of certified devices, the connection to the most sensitive data is protected at the highest level.

To perform this operation, simply go to your organization’s authentication portal and select “Show me other options”. You will be asked for your login and OTP. Go to your mobile application and select “Generate an OTP”. You will then be given a one-time password, which will automatically expire after 30 seconds. Enter this password on your browser to complete your authentication.

There is still a long road ahead before making MFA systems fully resistant to prompt bombing. That being said, as the inWebo MFA solution shows, there are already many ways to fight against the technical and social diversity of cyberattacks as long as you are careful about your chosen tools and security policies. Not all solutions MFA are equal and 2FA is not as strong as MFA.

Raise awareness and educate users on best practices

The implementation of these security mechanisms alone is not enough. It is now necessary to make users aware of prompt bombing attacks and teach them how to adopt the right behavior. These preventive actions make it easier to identify suspicious authentication requests and to react accordingly.

For example, some inWebo customers have launched campaigns based on the ability of our API to send push notifications. With a simple script, administrators simulate prompt bombing attacks on all or part of the users of the solution. This way, they can detect which users are correctly reporting the attack or, on the contrary, those who give in to it. It is then possible to target and adapt the awareness messages to the technological maturity of the different audiences.

Strengthen your security infrastructure with inWebo Browser Token

This year, 82% of data breaches involved a human factor². These are the results of Verizon's 2022 Data Breach Investigations Report. This study based on 23,000 incidents and 5,200 confirmed breaches worldwide highlights the importance of awareness programs. The Uber case is in line with the results of this survey.

While existing security infrastructures offer a real layer of protection, they can also create friction and alter the user experience. Modern multi-factor authentication methods now recommend the use of FIDO2 security keys. Pairing these hardware keys with the inWebo Browser Token technology helps to fight both phishing and prompt bombing.

Prompt bombing (or push bombing) attacks use loopholes in MFA systems to bombard users with push notifications and hack their accounts. Some hackers, as in the case of Uber, even contact their victims on WhatsApp to get them to accept these authentication requests.

MFA fatigue refers to the users’ weariness with the countless push notifications they receive during an MFA prompt bombing attempt.

Multi-factor authentication (MFA), or strong authentication, is a security mechanism process that requires two or more validation factors to prove a user’s identity. Most often, it involves connecting to a network, application or other resource without having to rely on a simple username and password combination.