Push Notification Fatigue Leads to LA County Health Department Data Breach

TOTP with a changing code is simple to understand and use and very resistant to both SIM Swapping and all these push based notification attacks. Push based notification attacks are relatively easy to social engineer as well - call, say you need to confirm identity and push.<p>Passkeys are a nightmare. For whatever reason they play SO SO badly. Microsoft &#x2F; et al all seem to compete to screw this stuff up. Seriously, if you are logged into a remote desktop, the push goes through chrome to some microsoft thing which has a different pin &#x2F; password &#x2F; whatever. What&#x27;s even crazier - I have a yubikey and somehow the passkey doesn&#x27;t need the actual hardware key to be plugged in - so this passkey is being stored somewhere else.<p>Keep it simple. I liked the U2F yubikey flow where you had to touch the yubikey to authenticate and I like TOTP well enough as well.

I hit the &quot;not me&quot; button _once_ in the MS Authenticator app. Never touching that button again.<p>What happened was that I was immediately logged out from most systems and had to call IT to unlock my account. Apparently Outlook had initialised a login request after the 14 days validity of the previous authentication in the background with no indication on my screen that it had done so.

This is why I only use TOTP, my company IT was even baffled when I chose TOTP instead of the MS Authenticator app.<p>I don&#x27;t use Authy or any of them that backup to the cloud either, since that defeats the whole point. Every time I add a new TOTP, I add it to an old OnePlus phone as a backup, and that is at home 24&#x2F;7 in case I lose my main phone.<p>After having someone try and hijack my NPM account, and actively pursuing me for a bit, I realized all other forms of 2fa are a joke. They will impersonate you to your carrier, they will try to get you to send them the code to hijack your sim... It&#x27;s basically a matter of time for any large scale organization has <i>one</i> employee who drops the ball.

Push-based MFA is a mistake for this exact reason. I don’t know why it seems every service opposes implementing pull-based TOTP, but it is strongly resistant to this abuse (since there are no notifications involved).

Why can’t orgs wise up and use security keys? Push based and SMS MFA are nothing but threat vectors.

Push&#x2F;prompt gating security (or most things) is bad - a lesson we keep learning[1] for myriad UI issues.<p>One thing I would say though is while it&#x27;s technically bad that this person hit &quot;approve&quot; after being bombarded with notifications, limiting repeated authentication and exponential delay on sign in attempt is one of the most basic security protections that any authentication mechanism or service should implement and failing to do this is a pretty basic and fundamental failure on the part of that service.<p>[1] It was frustrating to me when I worked on browsers where people kept trying to add extremely privileged functionality to the browser and then claiming there were no security problems because you could prompt the user. But it happens everywhere, I think Raymond Chen had a post many years ago regarding how the windows installer used to prompt people to replace files but would keep asking until people thought they were answering wrong, which then led to non-booting machines.

Looks like even push notifications can be too pushy! The LA County Health Department got breached because someone got so many login alerts they just gave up and hit &quot;approve.&quot; Cybersecurity lesson: sometimes, less is more.